Who should take the fall after a corporate hack? It may soon be the CEO

A survey of 200 public companies shows that corporate boards are becoming more concerned about cybersecurity and are willing to hold top executives accountable for data breaches.

After the December 2013 Target data breach, the only top executive to publicly pay a price for the incident was Chief Information Officer Beth Jacobs. CEO Gregg Steinhafel quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.

AP/File

May 28, 2015

Data breaches can cost companies hundreds of millions of dollars, erode shareholder value, and indelibly tarnish corporate reputations. Yet, chief executives and other top brass at organizations that suffer such incidents have remained largely immune from the fallout.

That may be changing.

A new survey of 200 directors of public companies conducted by security firm Veracode and the New York Stock Exchange Governance Services shows that corporate boards have become much more serious about data breaches and are willing to hold top executives accountable for them.

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

More than four in 10 of the directors in the survey felt that a company’s chief executive officer should take the rap for a data breach. When asked to prioritize who should be held accountable for such incidents, corporate boards ranked the chief executive officer first, followed by the chief information officer, and then the entire executive team.

Chief information security officers, often the fall guys in a data breach situation, ranked fourth in the list – suggesting that directors get it that security executives can do only as well as the support and the resources they get from top management.

Security has also become a growing priority for boards. In fact, 81 percent of the directors in the survey said information security matters have become a topic for discussion at most or every board meeting. Still, two-thirds professed being uncertain of their company’s ability to avert a data breach, while more than 70 percent said they were significantly concerned about security risk from third-party software in the supply chain.

The numbers reflect a major shift in attitudes toward cybersecurity within corporate boards. Until the recent spate of mega breaches at Target, Sony, Home Depot, Anthem, and elsewhere, information security was hardly, if ever, a top item on the corporate risk-management agenda.

"Legal, regulatory, shareholder, and professional bodies are increasingly charging board members to become more accountable for this area of risk,” said Martin Whitworth, an analyst at Forrester Research.

Howard University hoped to make history. Now it’s ready for a different role.

“Whilst this attention can only be a positive thing, it has to be balanced by the lack of confidence expressed by these same board directors in their companies ability to properly mitigate against cyberrisk,” he added.

The report shows boards need help in understanding the level of risk they face and the available options for dealing with them, Mr. Whitworth said.

Board members and chief executives have generally tended to view cybersecurity as a tactical mission best handled by the technology group. Accountability has been rare, and often restricted to the executives directly in charge of the security or technology function.

When Target suffered its massive data breach, the only top executive to pay a price for the incident, at least publicly, was Chief Information Officer Beth Jacobs. The CEO, Gregg Steinhafel, quit the company a few months after the breach, but his exit is believed to have had more to do with a botched expansion in Canada than just the breach.

The same was true in previous incidents: When someone has been held accountable after a data breach, it was usually from the technology side. In 2012, when hackers broke into a Medicaid server at the Utah Department of Health and accessed some 24,000 records containing sensitive data, it was the executive director of the state’s department of technology services who had to quit. In 2014, the Maricopa County Community College District in Arizona fired the longtime director of its information technology department for a breach that exposed Social Security Numbers and other sensitive information on more than two million people.

But growing concerns about brand damage, loss of intellectual property, and financial losses have changed how corporate boards view data breaches, says Chris Wysopal, chief technology officer of Veracode. Many appear willing to spread the blame around more evenly, he said.

“One of the key takeaways here is that they see the CEO as the one that is ultimately responsible” for cybersecurity, Mr. Wysopal said. “As breaches have gotten bigger and bigger [corporate] boards are beginning to see that security is ultimately not an IT problem relegated to a technology specialty but a much more broad based problem.”

Liability concerns may be another factor driving the change of heart within corporate boards. Big breaches often spawn lawsuits from consumers, banks, and other affected parties. Target, Home Depot, and Anthem, for instance, were all hit with literally dozens of lawsuits in the aftermath of their breach disclosures. Typically, such lawsuits tend to get consolidated and then later dismissed by the courts or settled for relatively modest sums. 

But some of the lawsuits have started raising thorny questions for companies. Last December, a Minnesota federal court ruled that Target could be sued for negligence because it failed to heed warnings about the breach from a security alerting system. Some have said the ruling could set in motion new legal standards for bringing negligence claims against organizations that suffer data breaches.

In May 2014, Institutional Shareholder Services, a company that advises shareholders on governance risk issues called on Target shareholders to vote against seven of the 10 directors belonging to the company’s Audit and Corporate Responsibility Committee for failing to provide enough risk oversight. Though all of the directors were reelected at the company’s shareholder meeting last June, the incident should put companies on notice: Some stakeholders may have started running out of patience with corporate boards' attitudes toward cybersecurity, too.