In early September, the board of Australia-based Qantas Airways voted to penalize CEO Vanessa Hudson and other top executives for a June 30 cyber incident that exposed the personally identifiable information of nearly 6 million passengers, deducting A$800,000 (US$522,000) from their bonuses.
The last time it became publicly known that a board withheld compensation from a CEO for a cybersecurity breach was in 2017, when Yahoo’s board denied CEO Marissa Mayer her $2 million bonus over the mishandling of multiple breaches that exposed the personal information of more than 1 billion users.
If the Quantas board ruling foretells a new era of holding CEOs financially accountable for cybersecurity, it will represent a welcome shift for CISOs, experts say.
“When the board penalized the CEO and the executive team financially, it reflected the board’s understanding of a new reality that cybersecurity is now so important that it is the shared responsibility of all leadership,” Joe Sullivan, a former Uber CISO who was controversially convicted of obstruction and other charges related to a breach at the ride-hailing giant, tells CSO.
“This example is only the latest in a string of cases where accountability has shifted to the highest levels of organizations,” Sullivan adds. “Believe me, this voluntary action by the board has gotten a lot of attention and a lot of positive praise from the security community. It was the talk of the town at security events I joined both in London and San Francisco.”
Growing legal action and regulation also shift accountability to CEOs
Docking CEO pay, at least publicly, is a rare step for corporate boards, particularly when it comes to cybersecurity incidents. In a statement, the Quantas board said, “Despite the strong [financial] performance, the Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers. This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers.”
Qantas Chairperson John Mullen stressed that the CEO and management responded quickly to help customers, but the board realized that the incident was serious and deserved financial ramifications, presumably to serve as a tangible reminder that CEOs should pay closer attention to the often-overlooked cybersecurity state of their organizations.
Qantas’ decision comes amid government agencies and regulators stepping up legal penalties for CEOs following breaches.
In 2022, for example, the US Federal Trade Commission held James Rellas, CEO of alcohol delivery service Drizly, now a part of Uber Eats, personally liable for presiding over the company’s failure to implement and apply appropriate information security practices, which led to a data breach that exposed 2.5 million consumers’ personal information.
Under new rules adopted by the US Securities and Exchange Commission (SEC) in 2023, CEOs and CFOs face significant personal and professional penalties for failing to oversee, report, or make accurate disclosures regarding material cybersecurity incidents, with the SEC able to impose fines on these leaders that can range into the millions of dollars for any violations.
At the US state level, data breach laws like the California Consumer Privacy Act and the New York SHIELD Act impose direct accountability on CEOs for cybersecurity governance and breach response. In the EU, under NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act), CEOs can be personally held liable and exposed to significant penalties for breaching cybersecurity rules.
“What you’re definitely seeing is a landscape that is going to see more of these kinds of CEO legal liabilities rather than less,” Martin Tully, partner at law firm Redgrave LLP, tells CSO. “We’re certainly seeing a regulatory environment that is going to continue to cast the spotlight on the higher-level executives. This is something that is a responsibility the highest levels of the organization need to take seriously.”
Paul Mee, partner at management consulting firm OliverWyman, thinks there could be a lot more hidden C-suite repercussions in the wake of data breaches that the public never sees. “Whether you get fired or whether you don’t get promoted or you get early retirement, these can all be consequences that aren’t always visible,” he tells CSO. “There aren’t always salacious articles in the media that say, ‘Hey, you got fired on the back of this.’ There are more subtle ways of doing it. I see it all the time.”
What should CISOs and CEOs do now?
CISOs, who have historically borne the brunt of breaches and malicious cyber incidents, should take heed of this emerging trend. “Be aware of the environment and expectations today, and where they’re headed,” Redgraves’ Tully says. “Try to get out in front of that. You need to work with your board and your executive team to get them to take these things very seriously.”
And, as ransomware attacks and cyber incidents increasingly inflict damage on companies, outside investors are starting to demand more accountability from CEOs. “Companies that are providing venture capital or doing a lot of acquisitions, they’re now looking at due diligence on the cyber and privacy fronts almost at the same level as financial due diligence because of the growing importance,” Tully says.
As for CEOs, they need to work more closely with their boards to plug them into the organization’s data breach and incident response playbooks. “The board needs to be drilled, practiced, and fully aware of the risk so that when it happens, they have the muscle memory and communication ability to deal with it,” OliverWyman’s Mee says. “Because without that, it’s going to go bad fast.”
Boards, for their part, appear to be coming up the learning curve quickly. “Increasingly, boards take this seriously,” Mee says. “I interact with a lot of boards. Cybersecurity is consistently a top-three item. AI is probably top of the list right now for boards. But cybersecurity is too important a topic and has gained greater visibility in front of boards than ever before.”
As CEOs and boards move forward, it should be clear that the data breach buck stops with CEOs and not CISOs and their security teams. “In the past, you’ve put an awful lot of burden of protection and de-risking on an individual who may have been cut from a different cloth and may also not have the power, influence, and governance ability to influence the change needed for security,” Mee says.
Sullivan says, “No security team by itself can secure a company from attackers, as the company’s culture, risk tolerance, and investment in secure systems are defined collectively by the CEO.”
No Responses