Without needing the Fight Club scene, "because the current [US] regulatory penalties are tiny, even when hundreds of millions of people's data is compromised. And there are rarely criminal charges against the executives of the companies who leaked the data". Until Congress legislates any solution.

If a CTO risks prison and having a criminal record because someone made a mistake, not too many people are going to want to be CTOs. Or you'll have to pay them a lot more.

a) "someone made a mistake" is not a good-faith characterization of "your software does not allow customers to mandate MFA organization-wide and audit that, you never fix that even though you market the capability, you're fully aware many of your customers are still only using 1FA and you continue to allow them to do that for months(/years?) even as you become aware other customers' credentials are being stolen by infostealers, (possibly in some cases from the same contractor laptop working for multiple customers, or at least on the same network/ at the same IT company)". Was it negligence? gross negligence? by which parties? I'm sure that will be argued for years (look how long the 9/11 insurance lawsuits took). But "someone [one single person] made a mistake [one mistake]" it ain't.

b) unclear are you talking about the Snowflake CTO(/CEO/COO/CIO/CMO/General Counsel) or their customers' executives; where did anyone say it was the Snowflake CTO's sole responsibility, or sole responsibility of any single executive? There will presumably be Congressional hearings as well as an SEC inquiry, truckloads of civil suits, plus tech journalist coverage. Their customers' cyberinsurance might well decline to pay out, more lawsuits. I wouldn't jump to conclusions until those facts are in. But in the meantime likely the stock market will deliver a financial verdict much sooner, and Snowflake might have to change executives, or get acquired, or worse.

c) But the general proposition that management isn't a consequence-free country-club environment seems fairly self-evident.

d) Not too many people should want to be CEOs or COOs or CTOs of a large company (or be considered qualified or competent to), if they might be held responsible for negligence or criminal wrongdoing. Boeing and SVB both spring to mind, and we don't have the facts on those either. Monsanto/Roundup, 3M/PFAS, Sackler/opioids also.

e) But executives being held [civilly or even criminally] responsible in extreme cases is not an existential problem like you're suggesting, because the market will figure out how much to compensate them. If a good CTO by their actions avoids $10m losses or reputational damage or lost customers every year, you could still pay them a lot while saving money, right? The case has been made that huge executive golden parachutes are a terrible practice, and that higher executive base compensation is better.

You wouldn't dispute that Sarbanes-Oxley was on balance a good thing? CEOs and CFOs know if they sign off on outright fraud, they could go to jail. Actual Sarbanes-Oxley prosecutions are very rare, but that's because it's having a deterrent effect. Authentication, 2FA by SMS (going to a personal cellphone on a monthly contract), SIM-stealing, auditing whether MFA is in fact happening organization-wide etc. all seem to be in the news constantly. If Congress wants to get in a moral panic about TikTok, maybe they could spare a session or two for this.