{"id":5057,"date":"2025-09-26T07:00:00","date_gmt":"2025-09-26T07:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5057"},"modified":"2025-09-26T07:00:00","modified_gmt":"2025-09-26T07:00:00","slug":"qantas-cutting-ceo-pay-signals-new-era-of-cyber-accountability","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5057","title":{"rendered":"Qantas cutting CEO pay signals new era of cyber accountability"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

In early September, the board of Australia-based Qantas Airways voted to penalize CEO Vanessa Hudson and other top executives for a June 30 cyber incident<\/a> that exposed the personally identifiable information of nearly 6 million passengers<\/a>, deducting A$800,000 (US$522,000) from their bonuses.<\/p>\n

The last time it became publicly known that a board withheld compensation from a CEO for a cybersecurity breach was in 2017, when Yahoo\u2019s board denied CEO Marissa Mayer<\/a> her $2 million bonus over the mishandling of multiple breaches that exposed the personal information of more than 1 billion users.<\/p>\n

If the Quantas board ruling foretells a new era of holding CEOs financially accountable for cybersecurity, it will represent a welcome shift for CISOs, experts say.<\/p>\n

\u201cWhen the board penalized the CEO and the executive team financially, it reflected the board\u2019s understanding of a new reality that cybersecurity is now so important that it is the shared responsibility of all leadership,\u201d Joe Sullivan<\/a>, a former Uber CISO who was controversially convicted of obstruction and other charges<\/a> related to a breach at the ride-hailing giant, tells CSO.<\/p>\n

\u201cThis example is only the latest in a string of cases where accountability has shifted to the highest levels of organizations,\u201d Sullivan adds. \u201cBelieve me, this voluntary action by the board has gotten a lot of attention and a lot of positive praise from the security community. It was the talk of the town at security events I joined both in London and San Francisco.\u201d<\/p>\n

Growing legal action and regulation also shift accountability to CEOs<\/h2>\n

Docking CEO pay, at least publicly, is a rare step for corporate boards, particularly when it comes to cybersecurity incidents. In a statement, the Quantas board said<\/a>, \u201cDespite the strong [financial] performance, the Board decided to reduce annual bonuses by 15 percentage points as a result of the impact the cyber incident had on our customers. This reflects their shared accountability, while acknowledging the ongoing efforts to support customers and put in place additional protections for customers.\u201d<\/p>\n

Qantas Chairperson John Mullen stressed that the CEO and management responded quickly to help customers, but the board realized that the incident was serious and deserved financial ramifications, presumably to serve as a tangible reminder that CEOs should pay closer attention to the often-overlooked cybersecurity state of their organizations.<\/p>\n

Qantas\u2019 decision comes amid government agencies and regulators stepping up legal penalties for CEOs following breaches.<\/p>\n

In 2022, for example, the US Federal Trade Commission held James Rellas<\/a>, CEO of alcohol delivery service Drizly, now a part of Uber Eats, personally liable for presiding over the company\u2019s failure to implement and apply appropriate information security practices, which led to a data breach that exposed 2.5 million consumers\u2019 personal information.<\/p>\n

Under new rules<\/a> adopted by the US Securities and Exchange Commission (SEC) in 2023, CEOs and CFOs face significant personal and professional penalties for failing to oversee, report, or make accurate disclosures regarding material cybersecurity incidents, with the SEC able to impose fines on these leaders that can range into the millions of dollars for any violations.<\/p>\n

At the US state level, data breach laws like the California Consumer Privacy Act<\/a> and the New York SHIELD Act<\/a> impose<\/a> direct accountability on CEOs for cybersecurity governance and breach response. In the EU<\/a>, under NIS2 (Network and Information Systems Directive 2) and DORA (Digital Operational Resilience Act)<\/a>, CEOs can be personally held liable and exposed to significant penalties for breaching cybersecurity rules.<\/p>\n

\u201cWhat you\u2019re definitely seeing is a landscape that is going to see more of these kinds of CEO legal liabilities rather than less,\u201d Martin Tully<\/a>, partner at law firm Redgrave LLP, tells CSO. \u201cWe\u2019re certainly seeing a regulatory environment that is going to continue to cast the spotlight on the higher-level executives. This is something that is a responsibility the highest levels of the organization need to take seriously.\u201d<\/p>\n

Paul Mee<\/a>, partner at management consulting firm OliverWyman, thinks there could be a lot more hidden C-suite repercussions in the wake of data breaches that the public never sees. \u201cWhether you get fired or whether you don\u2019t get promoted or you get early retirement, these can all be consequences that aren\u2019t always visible,\u201d he tells CSO. \u201cThere aren\u2019t always salacious articles in the media that say, \u2018Hey, you got fired on the back of this.\u2019 There are more subtle ways of doing it. I see it all the time.\u201d<\/p>\n

What should CISOs and CEOs do now?<\/h2>\n

CISOs, who have historically borne the brunt of breaches<\/a> and malicious cyber incidents, should take heed of this emerging trend. \u201cBe aware of the environment and expectations today, and where they\u2019re headed,\u201d Redgraves\u2019 Tully says. \u201cTry to get out in front of that. You need to work with your board and your executive team to get them to take these things very seriously.\u201d<\/p>\n

And, as ransomware attacks and cyber incidents increasingly inflict damage on companies, outside investors are starting to demand more accountability from CEOs. \u201cCompanies that are providing venture capital or doing a lot of acquisitions, they\u2019re now looking at due diligence on the cyber and privacy fronts almost at the same level as financial due diligence because of the growing importance,\u201d Tully says.<\/p>\n

As for CEOs, they need to work more closely with their boards to plug them into the organization\u2019s data breach and incident response playbooks. \u201cThe board needs to be drilled, practiced, and fully aware of the risk so that when it happens, they have the muscle memory and communication ability to deal with it,\u201d OliverWyman\u2019s Mee says. \u201cBecause without that, it\u2019s going to go bad fast.\u201d<\/p>\n

Boards, for their part, appear to be coming up the learning curve quickly. \u201cIncreasingly, boards take this seriously,\u201d Mee says. \u201cI interact with a lot of boards. Cybersecurity is consistently a top-three item. AI is probably top of the list right now for boards. But cybersecurity is too important a topic and has gained greater visibility in front of boards than ever before.\u201d<\/p>\n

As CEOs and boards move forward, it should be clear that the data breach buck stops with CEOs and not CISOs and their security teams. \u201cIn the past, you\u2019ve put an awful lot of burden of protection and de-risking on an individual who may have been cut from a different cloth and may also not have the power, influence, and governance ability to influence the change needed for security,\u201d Mee says.<\/p>\n

Sullivan says, \u201cNo security team by itself can secure a company from attackers, as the company\u2019s culture, risk tolerance, and investment in secure systems are defined collectively by the CEO.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

In early September, the board of Australia-based Qantas Airways voted to penalize CEO Vanessa Hudson and other top executives for a June 30 cyber incident that exposed the personally identifiable information of nearly 6 million passengers, deducting A$800,000 (US$522,000) from their bonuses. The last time it became publicly known that a board withheld compensation from […]<\/p>\n","protected":false},"author":0,"featured_media":5058,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5057","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5057"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5057"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5057\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5058"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5057"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5057"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5057"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}