Data breach: the ‘C suite’ takes the hit
As senior heads roll, why is the company board increasingly in the firing line?
The data breach at the Ashley Madison dating site has not only been devastating for the business and highly embarrassing for its customers, but also brought about the resignation of its chief executive. Given Ashley Madison is a business founded on the principle of confidentiality, a senior departure following the hack of millions of customer records is perhaps not surprising, but it illustrates how occupants of the ‘C suite’ are increasingly in the firing line from this growing risk.
Striking at the very top
With other recent hacking attacks having also claimed the scalps of Target’s CEO and CIO, the Director of the US Office of Personnel Management, and the Co-Chair at Sony Pictures, it’s clear that a data breach at an organisation is increasingly likely to bring down those at the very top, says Christina Terplan, a US based lawyer at Clyde & Co. “The Ashley Madison CEO isn’t the first executive to step down after a data breach. The trend seems to be that someone [senior] will fall. This didn’t happen five years ago when there was a breach. No one really placed the blame on high level executives and companies were seen as more a victim of crime.”
Today, stakeholders – from customers and regulators, to shareholders or fellow board members – will line up to point the finger at the most senior people within an organisation, with the consequences for the directors often being far worse than simply a resignation letter and hasty exit. “They [chief executives] are not just losing their jobs, they’re having their careers shattered. We’re seeing them dragged into litigation, spending the next two years of their lives being deposed. These are life changing moments,” adds computer forensic expert Winston Krone, Managing Director of Kivu Consulting.
A top ten risk
A prime reason why senior heads roll following a data breach is that cyber risk is now regarded as one of the biggest threats facing an organisation, with the potential to not only threaten the day-to-day operations of a business but also its ability to inflict permanent damage to reputation and brand. This sharp rise up the corporate risk agenda has been reflected in the increasing amount of time that the ‘C suite’ is prepared to spend looking at the risk. “Back in 1998,” says Marcus Breese, Line Underwriter at Hiscox, “when we were talking about cyber risks we’d be talking to the IT team, now it’s more likely to be the ‘C suite’.”
Given this increased focus, why then are ‘C suite’ executives more likely to be held personally responsible for a hacking attack? One problem, argues Breese, is the issue of prioritising resource. “There is a tendency to invest IT resource in new areas that generate new revenue; legacy systems don't always benefit from the same level of investment. It might not be as exciting, but big vulnerabilities can exist in that stuff in the cupboard that gets taken for granted and no one really looks at.” RBS’s recent technical woes for example – including millions of customers unable to access their accounts and failed payments – was put down as a ‘legacy’ failure.
It’s an area of vulnerability that hits at the very top of an organisation because it becomes a strategic management decision. If the wrong decisions are made the consequences will hit home. And it’s even worse if clear management failings are identified says Terplan. “Did the board get a report about having a vulnerability on their system and decide not to fund it because it was too expensive? Or, heaven forbid, did they not even look into the security of their systems at a board level?”
‘When’ rather than ‘if’
The inevitability of a data breach – the 2015 Information Security Breaches survey commissioned by the UK Government found that 9 out of 10 large organisations have suffered some sort of security breach – means that for the ‘C suite’, the first line of defence is diligent preparation. It’s an area that Chris Warrior, Head of Management Liability at Hiscox, is keen to explore when discussing directors’ and officers’ exposures with clients. “We talk to officers about what their plans are and what they’re doing to manage their exposure to cyber risks. And, that when an attack happens, their company’s ability to trade forwards will not be compromised.”
While cyber is a driver of directors’ and officers’ insurance cover, particularly in more exposed sectors such as healthcare and retail, Warrior doesn’t think however that cyber risk should be any more problematic for the ‘C suite’. “Exposures for directors and officers change and cyber is just another of those changing exposures alongside others such as merger and acquisitions risks, the economic cycle and changing business practices. It is business as usual as long as you do business properly.”
There is a silver lining
The silver lining concludes Krone is that, like any well managed crisis, it can actually be an opportunity to enhance reputations: “If you have a [data] breach – which let’s face it is inevitable – if it’s well handled it can be a feather in your cap as a ‘C suite’ executive.” Get it wrong though and the search for someone to blame will inevitably go right to the top.