Attorney Jonathan Armstrong Discusses AI, Vendor Consolidation, and Personal Liability in Cybersecurity
In an evolving digital landscape, where organizations increasingly entrust their critical operations to third-party vendors and implement artificial intelligence (AI) solutions, traditional methods of contract management and risk assessment are quickly becoming obsolete. This critical shift was addressed by Jonathan Armstrong, a partner at Punter Southall Law, during an interview with Information Security Media Group (ISMG) at Infosecurity Europe 2026. His insights highlight the pressing need for businesses to adapt to the new realities of cybersecurity threats.
Armstrong pointed out that many companies still rely on outdated risk management frameworks that operate under a "one and done" mentality, characteristic of a pre-digital era. These legacy practices assume a static environment where software and vendor capabilities do not evolve. Armstrong noted that contracts referencing vendors with small employee counts—often fewer than ten—offer scant protection when these vendors experience significant data breaches. Such scenarios underscore the inadequacy of traditional contracts in safeguarding sensitive organizational data.
“While an organization may stipulate a financial penalty for a breach, the reality is that many small vendors do not have the financial resources to meet these conditions,” Armstrong explained. This discrepancy creates a significant risk for companies that may think their agreements provide solid protection. He elaborated on how many firms often opt to reduce spending on product development and security when engaging in transactions involving these smaller vendors, exacerbating their vulnerability to cyber attacks.
The conversation further delved into the current trend of vendor consolidation and the surge in initial public offerings (IPOs) related to AI technologies. Armstrong articulated that these developments introduce novel blind spots for organizations already struggling to fend off attacks backed by nation-states. The rapidly changing landscape of threats necessitates a more proactive and adaptable approach to security measures.
Armstrong also touched upon the challenges posed by a growing maze of overlapping regulations that can distract cybersecurity professionals from focusing on their core responsibilities. In today’s intricate regulatory environment, maintaining compliance often diverts attention from implementing effective frontline defenses. For businesses striving to secure their data and systems, this diversion can have dire consequences.
Moreover, as the responsibilities of Chief Information Security Officers (CISOs) and board members expand, the expectation for personal liability has significantly increased. Armstrong highlighted that this trend is reshaping the expectations surrounding due diligence, adding a layer of pressure on those involved in corporate governance. As such, the importance of having an expert in cybersecurity and AI on every board cannot be overstated. According to Armstrong, a knowledgeable member can guide critical decision-making processes, ensuring that organizations remain resilient amid evolving threats.
Armstrong’s expertise extends across a broad spectrum of cybersecurity issues, including advising clients on compliance with the General Data Protection Regulation (GDPR) and navigating the complexities of AI-related risks. His role involves guiding multinational companies in Europe on matters of risk management and compliance, especially regarding data breaches and interactions with regulators. His experience positions him as one of the leading voices on the intersection of law and cybersecurity, making his insights particularly valuable to organizations striving to fortify their defenses in today’s digital age.
In summary, the interview presented by ISMG highlighted the critical necessity for organizations to reevaluate their risk frameworks and contract management practices in light of the rapidly changing technological landscape. With the emergence of AI and the increasing interconnectedness of businesses, adapting to these changes is not merely advisable; it is imperative for safeguarding against the growing tide of sophisticated cyber threats. As the challenges faced by organizations evolve, so too must their strategies, embracing a proactive and comprehensive approach to both cybersecurity and regulatory compliance.