> “absolutely everything”

It isn’t absolutely everything, it’s for negligence. If you don’t have basics in place, like independent pen-tests, ISO 27001 audits — or some equivalent — when you’re handling clinical data, then that’s negligence.

If a breach happens and you were seen to have followed best practice, you won’t be found criminally negligent.

That is part of being an executive. The buck stops with you — if you’re an executive, you’d better understand your obligations, you get the big bucks for a reason, it isn’t just a fancy job title.

Other people in the organisation can be held accountable for criminal acts, but when it comes to criminal negligence, it’s the executives that are liable, because it’s a systemic failure and you’re deemed to be in-charge of the system.

Is it sane to reward them for almost absolutely everything that goes right? Because that's the status quo for this position.

But this is not “absolutely everything”. No one is saying CEOs should be accountable for every action of an individual employee.

So if not the CEO, who is accountable when something like this breach happens? The CTO? The PM The DBA? Nobody? Maybe they’ll care developer who wrote the code or botched the configuration should be prosecuted?

CEOs can justify their pay be being accountable for what their company does. They’re the CEO, after all. Maybe they’ll care more when they have some actual skin in the game.

Well this is why they get paid so much isn't it? Because they carry the responsibility.

Privatize the gains and socialize the losses. egh?

The CEO is responsible for ensuring that there is a routine for security.

If that is not created -> CEO responsibility.

If that is not followed -> top level mgmt responsibility.

And so on, further down the chain.

So who?

It's normally the company directors that are personally liable.