Who should take the fall after a corporate hack? It may soon be the CEO
Data breaches can cost companies hundreds of millions of dollars, erode shareholder value, and indelibly tarnish corporate reputations. Yet, chief executives and other top brass at organizations that suffer such incidents have remained largely immune from the fallout.
That may be changing.
A new survey of 200 directors of public companies conducted by security firm Veracode and the New York Stock Exchange Governance Services shows that corporate boards have become much more serious about data breaches and are willing to hold top executives accountable for them.
More than four in 10 of the directors in the survey felt that a company鈥檚 chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.
Chief information security officers, often the fall guys in a data breach situation, ranked fourth in the list 鈥 suggesting that directors get it that security executives can do only as well as the support and the resources they get from top management.
Security has also become a growing priority for boards. In fact,听81 percent of the directors in the survey said information security matters have become a topic for discussion at most or every board meeting.听Still, two-thirds professed being uncertain of their company鈥檚 ability to avert a data breach, while more than 70 percent said they were significantly concerned about security risk from third-party software in the supply chain.
The numbers reflect a major shift in attitudes toward cybersecurity within corporate boards. Until the recent spate of mega听breaches听at Target, Sony, Home Depot, Anthem, and elsewhere, information security was hardly, if ever, a top item on the corporate risk-management agenda.
"Legal, regulatory, shareholder, and professional bodies are increasingly charging board members to become more accountable for this area of risk,鈥 said Martin Whitworth, an analyst at Forrester Research.
鈥淲hilst听this attention can only be a positive thing, it has to be balanced by the lack of confidence expressed by these same board directors in their companies ability to properly mitigate against cyberrisk,鈥 he added.
The report shows boards need help in understanding the level of听risk they face and the available options for dealing with them, Mr. Whitworth said.
Board members and chief executives have generally tended to view cybersecurity as a tactical mission best handled by the technology group. Accountability has been rare, and often restricted to the executives directly in charge of the security or technology function.
When Target suffered its massive data breach, the only top executive to pay a price for the incident, at least publicly, was Chief Information Officer Beth Jacobs. The CEO, Gregg Steinhafel, quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.
The same was true in previous incidents: When someone has been held accountable after a data breach,听it was usually from the technology side. In 2012, when hackers broke into a Medicaid server at the Utah Department of Health and accessed some 24,000 records containing sensitive data, it was the executive director of the state鈥檚 department of technology services who听. In 2014, the Maricopa County Community College District in Arizona the longtime director of its information technology department for a breach that exposed Social Security Numbers and other sensitive information on more than two million people.
But growing concerns about brand damage, loss of intellectual property, and financial losses have changed how corporate boards view data breaches, says Chris Wysopal, chief technology officer of Veracode. Many appear willing to spread the blame around more evenly, he said.
鈥淥ne of the key takeaways here is that they see the CEO as the one that is ultimately responsible鈥 for cybersecurity, Mr. Wysopal said. 鈥淎s breaches have gotten bigger and bigger [corporate] boards are beginning to see that security is ultimately not an IT problem relegated to a technology specialty but a much more broad based problem.鈥
Liability concerns may be another factor driving the change of heart within corporate boards. Big breaches often听spawn lawsuits from consumers, banks, and other affected parties. Target, Home Depot, and Anthem, for instance, were all hit with literally dozens of lawsuits in the aftermath of their breach disclosures. Typically, such lawsuits tend to get听consolidated and then later dismissed by the courts or settled for relatively modest sums.听
But some of the lawsuits have started听raising thorny questions for companies. Last December, a Minnesota federal court ruled that Target could be sued for negligence because it failed to heed warnings about the breach from a security alerting system. Some have said the ruling could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches.
In May 2014, Institutional Shareholder Services, a company that advises shareholders on governance risk issues called on Target shareholders to vote against seven of the 10 directors belonging to the company鈥檚 Audit and Corporate Responsibility Committee for failing to provide enough risk oversight. Though all of the directors were reelected at the company鈥檚 shareholder meeting last June, the incident should put companies on notice: Some stakeholders may have听started running out of patience with corporate boards' attitudes toward cybersecurity, too.
听
