In early September, the board of Australia-based Qantas Airways voted to penalize CEO Vanessa Hudson and different high executives for a June 30 cyber incident that uncovered the personally identifiable info of almost 6 million passengers, deducting A$800,000 (US$522,000) from their bonuses.
The final time it turned publicly recognized {that a} board withheld compensation from a CEO for a cybersecurity breach was in 2017, when Yahoo’s board denied CEO Marissa Mayer her $2 million bonus over the mishandling of a number of breaches that uncovered the private info of greater than 1 billion customers.
If the Quantas board ruling foretells a brand new period of holding CEOs financially accountable for cybersecurity, it’s going to symbolize a welcome shift for CISOs, specialists say.
“When the board penalized the CEO and the manager crew financially, it mirrored the board’s understanding of a brand new actuality that cybersecurity is now so necessary that it’s the shared accountability of all management,” Joe Sullivan, a former Uber CISO who was controversially convicted of obstruction and different prices associated to a breach on the ride-hailing big, tells CSO.
“This instance is barely the most recent in a string of circumstances the place accountability has shifted to the very best ranges of organizations,” Sullivan provides. “Imagine me, this voluntary motion by the board has gotten lots of consideration and lots of constructive reward from the security group. It was the speak of the city at security occasions I joined each in London and San Francisco.”
Rising authorized motion and regulation additionally shift accountability to CEOs
Docking CEO pay, at the very least publicly, is a uncommon step for company boards, notably in relation to cybersecurity incidents. In an announcement, the Quantas board stated, “Regardless of the robust [financial] efficiency, the Board determined to cut back annual bonuses by 15 proportion factors because of the influence the cyber incident had on our prospects. This displays their shared accountability, whereas acknowledging the continuing efforts to assist prospects and put in place further protections for patrons.”
Qantas Chairperson John Mullen harassed that the CEO and administration responded rapidly to assist prospects, however the board realized that the incident was critical and deserved monetary ramifications, presumably to function a tangible reminder that CEOs ought to pay nearer consideration to the often-overlooked cybersecurity state of their organizations.
Qantas’ choice comes amid authorities companies and regulators stepping up authorized penalties for CEOs following breaches.
In 2022, for instance, the US Federal Commerce Fee held James Rellas, CEO of alcohol supply service Drizly, now part of Uber Eats, personally chargeable for presiding over the corporate’s failure to implement and apply acceptable info security practices, which led to a data breach that uncovered 2.5 million customers’ private info.
Below new guidelines adopted by the US Securities and Change Fee (SEC) in 2023, CEOs and CFOs face important private {and professional} penalties for failing to supervise, report, or make correct disclosures relating to materials cybersecurity incidents, with the SEC in a position to impose fines on these leaders that may vary into the thousands and thousands of {dollars} for any violations.
On the US state stage, data breach legal guidelines just like the California Shopper Privateness Act and the New York SHIELD Act impose direct accountability on CEOs for cybersecurity governance and breach response. Within the EU, underneath NIS2 (Community and Info Programs Directive 2) and DORA (Digital Operational Resilience Act), CEOs could be personally held liable and uncovered to important penalties for breaching cybersecurity guidelines.
“What you’re positively seeing is a panorama that’s going to see extra of those sorts of CEO authorized liabilities somewhat than much less,” Martin Tully, companion at legislation agency Redgrave LLP, tells CSO. “We’re actually seeing a regulatory setting that’s going to proceed to solid the highlight on the higher-level executives. That is one thing that may be a accountability the very best ranges of the group have to take severely.”
Paul Mee, companion at administration consulting agency OliverWyman, thinks there could possibly be much more hidden C-suite repercussions within the wake of data breaches that the general public by no means sees. “Whether or not you get fired or whether or not you don’t get promoted otherwise you get early retirement, these can all be penalties that aren’t all the time seen,” he tells CSO. “There aren’t all the time salacious articles within the media that say, ‘Hey, you bought fired on the again of this.’ There are extra refined methods of doing it. I see it on a regular basis.”
What ought to CISOs and CEOs do now?
CISOs, who’ve traditionally borne the brunt of breaches and malicious cyber incidents, ought to take heed of this rising pattern. “Pay attention to the setting and expectations as we speak, and the place they’re headed,” Redgraves’ Tully says. “Attempt to get out in entrance of that. It’s essential work along with your board and your govt crew to get them to take this stuff very severely.”
And, as ransomware assaults and cyber incidents more and more inflict injury on corporations, outdoors traders are beginning to demand extra accountability from CEOs. “Corporations which are offering enterprise capital or doing lots of acquisitions, they’re now taking a look at due diligence on the cyber and privateness fronts nearly on the identical stage as monetary due diligence due to the rising significance,” Tully says.
As for CEOs, they should work extra carefully with their boards to plug them into the group’s data breach and incident response playbooks. “The board must be drilled, practiced, and totally conscious of the chance in order that when it occurs, they’ve the muscle reminiscence and communication capability to take care of it,” OliverWyman’s Mee says. “As a result of with out that, it’s going to go unhealthy quick.”
Boards, for his or her half, look like arising the educational curve rapidly. “More and more, boards take this severely,” Mee says. “I work together with lots of boards. Cybersecurity is constantly a top-three merchandise. AI might be high of the listing proper now for boards. However cybersecurity is simply too necessary a subject and has gained better visibility in entrance of boards than ever earlier than.”
As CEOs and boards transfer ahead, it must be clear that the data breach buck stops with CEOs and never CISOs and their security groups. “Up to now, you’ve put an terrible lot of burden of safety and de-risking on a person who might have been lower from a distinct material and might also not have the facility, affect, and governance capability to affect the change wanted for security,” Mee says.
Sullivan says, “No security crew by itself can safe an organization from attackers, as the corporate’s tradition, threat tolerance, and funding in safe methods are outlined collectively by the CEO.”
