alphaspirit - Fotolia
Should one cybersecurity mistake mean the end of a CEO's career?
In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward.
Recently, the Austrian aircraft company FACC fired its CEO of 20 years because he fell victim to an online scam that cost the company over $50 million. Does the decision to fire a tenured CEO for one cybersecurity mistake set a precedent? Will other boards follow suit?
The Sarbanes-Oxley Act of 2002 came about after a series of well-publicized corporate frauds, such as Enron, WorldCom, Sunbeam, Xerox and Global Crossing. In all of these cases, corporate malfeasance led the Sarbanes-Oxley Act to impose financial and technical regulations for the purpose of improving the accuracy and reliability of financial reporting.
Some have viewed the Sarbanes-Oxley Act as a knee-jerk reaction to these fraudulent events, believing that the regulations are imposing and burdensome; however, cybersecurity professionals and systems auditors, who have historically found resistance in deploying even baseline controls, viewed it favorably.
In addition to improvements in the design and effectiveness of internal controls, the Sarbanes-Oxley Act requires CEOs and CFOs to certify the verity of their financial statements, for which they are personally liable. Since then, numerous highly publicized breaches, at companies such as Target, Home Depot, Sony, TalkTalk and, more recently, the Austrian aircraft parts company FACC, have resulted in the terminations of CEOs and other executives. But do these breaches establish a trend for future executive collateral damage for a cybersecurity mistake?
Executive termination for cybersecurity mistake
The precedent of CEO, CFO and executive tenure risk was set with the Sarbanes-Oxley Act, although few executive terminations have resulted due to noncompliance or inaccurate financial reporting. The recent breaches have resulted in executive terminations, not due to the Sarbanes-Oxley Act, as it applies strictly to public companies, but because the company needed to send a message to company stockholders.
The Payment Card Industry Data Security Standard requires that executives sign the Attestation of Compliance report, which states "All information within the above referenced ROC [Report of Compliance] and in this attestation fairly represents the results of my assessment in all material respects."
What we are seeing now is the role of the CEO and board members including a personal liability, which they need to take seriously. A cybersecurity mistake made by the CEO or CFO that results in tangible financial losses could make the CISO collateral damage, and could even make him a scapegoat for executive management.
CEO tenure is no longer at risk due to corporate malfeasance. CEO tenure is now at risk based on the effective control and protection of corporate assets.
This is not necessarily unreasonable. What it does do is put the onus on the CEO to ensure the right CISO is hired and that the proper protection is deployed. Cybersecurity is not just a necessary evil, cybersecurity is risk based, and accountability ultimately rests with the board.
Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)