Panic in the Board Room! Should CEOs be Held Accountable for Cyber Attacks?

A string of high-profile breaches with high-stake dismissals has put cyber accountability firmly on the map for execs. But when the proverbial hits the fan, who is ultimately accountable? Eleanor Dallaway finds out…

“I’m accountable and responsible for security in [TalkTalk]. I was before this criminal attack and am now”. These were the words of Dido Harding, to a parliament committee, in 2015. This is old news. So why on earth are Harding’s words still deserving of column inches seven years later?

Perhaps it’s because the question of accountability still ruminates in businesses worldwide. That old-age debate over where the buck stops and whether the act of hiring a CISO means passing over that baton of risk? Perhaps it’s the intrigue that Harding, who was, by her confession, “responsible for security” at TalkTalk ̵– the organisation slapped with an at-the-time record fine of £400,000 for security failings under her leadership – was later trusted to lead the UK’s NHS Covid app, earning unsurprising backlash? There’s no denying it was a controversial appointment, given her track record with handling data. Or maybe it’s because the cybersecurity industry bats around discussions of scapegoats at a rate of knots?

A list of the fallen

Gartner reported increased blame and punishment of CEOs due to cybersecurity-related events years ago. They wrote that the consequences “include dismissal, resignation or loss of significant compensation.” High-profile resignations and dismissals have been hitting the headlines for years.

Target CEO Gregg Steinhafel resigned from his position as CEO after that enormous cyber attack. Richard Smith stepped down as CEO of Equifax after one of the biggest cyber attacks in history. Amy Pascal, the former CEO of Sony, admitted she was fired as a consequence of the 2014 breach, and Chris Coonan, CEO of Landmark White group, resigned in the wake of the data breach.

Let’s talk about TalkTalk

If 2015 is a distant and hazy memory for you, firstly, you’re forgiven; we’ve had a global pandemic to contend with since then. Secondly, let’s bring you up to speed.

In October 2015, TalkTalk was hit by a cyber attack that compromised the personal data of more than 150,000 customers. The Information Commissioner at the time, Elizabeth Denham, said: “TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information.” The remark was deservedly scathing.

Eighteen months later, Harding stood down as CEO of TalkTalk, something she claimed had nothing to do with the cyber attack, which she cringingly referred to as “ancient history”. Instead, she justified her move with the line, “I’m a really big believer in chief executives not staying forever,” she told The Guardian at the time. When she left in 2017, the company’s share price was down almost 30% from the year before. In the same time period, the FTSE 100 grew by more than 15%.

In the wake of the ordeal, MPs called for the bosses of hacked companies to be fined. Whilst Harding wasn’t fined, TalkTalk slashed her cash bonus in half, from £432,000 to £220,000, resulting from the data breach. She donated it to Ambitious about Autism charity. However, many argued that the ‘stick’ didn’t go far enough in the TalkTalk case.

According to Chris Federspiel, CEO of Blackthorn.io, fines or punishment should ultimately come down to the CEO’s behaviours leading to the cyber attack. “Was it an issue they knew about and did nothing about? Or was it something no one could have predicted from an entry point and no one knew about?” In the case of negligence, Federspiel says, “there should be a penalty if that organisation was responsible for PII or confidential corporate data. The degree of the negligence should impact the penalty.” He suggests either a financial forfeit or community service.

Brian Honan, CEO of BH Consulting, explains that under specific regulatory regimes, such as the GDPR, CEOs should be aware that “the organisation could be penalised by the supervisory authority, but also, so can individuals within the organisation if they have been negligent.” Apart from regulatory impacts, if a business suffers significantly from negligence from the CEO, “then the board, or other key stakeholders, should take appropriate steps to discipline the CEO,” he adds.

“Cyber risk is business risk,” agreed Wendy Nather, head of advisory CISOs at Cisco. “Any CEO would expect to see consequences for negligence in managing business risk, especially when it results in fines or other harm to the company.”

Shining examples

Let’s not fall into the quintessential cybersecurity approach of shining a spotlight on disasters whilst sweeping successes under the carpet. There are fantastic examples of CEOs that have handled cyber incidents decisively and effectively, with integrity and transparency.

Home Depot’s Frank Blake springs to mind. In 2014, Blake had only recently announced his resignation and successor when he learned of the breach that compromised the sensitive data of 56 million Home Depot customers. Many would have thanked their lucky stars for the fortuitous timing of their planned departure and hit the road.

Blake, however, sat tight. He took full responsibility, empowered his team to fix the problem and kept customers’ needs at the forefront.

“Any CEO would expect to see consequences for negligence in managing business risk, especially when it results in fines or other harm to the company.” Wendy Nather

Within hours of learning of the breach, the company issued a statement of apology to its customers, “mercifully free or mealy-mouthed corporate jargon” Fortune appraised at the time. Five days later, a personal apology came from Blake, who had battened down the hatches with his CISO in the newly created incident response room. Impressively, Home Depot hired a call centre capable of handling 50,000 calls a day to serve customers following the breach, and within a fortnight, enhanced encryption systems had been installed.

Blake didn’t shy away from self-criticism and candidly told the Wall Street Journal: “If we rewind the tape, our security systems could have been better…Data security just wasn’t high enough in our mission statement.”

And then there was Colonial Pipeline. In 2021, when a significant cyber attack hit the US’s most extensive pipeline system for refined oil products, its CEO, Joe Blount, immediately got his hands dirty. At the Mandiant cyber defence summit in Washington DC in October 2021, he said: “Your typical CEO job went out the door.” Like many of his execs, Blount was allocated a specific role in the response effort. He was the point of contact and conduit for communing with the US Department of Energy about the attack and recovery effort. “In our case, the CEO’s responsibility immediately became to contain the attack and remediate the situation. That becomes the focus,” he said of his role.

The above demonstrates that cyber incidents don’t automatically reflect negatively on CEOs. Judgement is instead formed on their response. “How an organisation responds to the data breach will determine what impact there may be on the CEO’s reputation,” says Honan. “If a CEO makes ill-informed commentary or exaggerates certain facts that are later proven false, such as announcing the attack was state-sponsored only to be found later to be a teenage hacker, then that can have a major impact on the CEO’s reputation.” He adds that if an organisation’s security shortfalls are revealed to be a result of the CEO’s lack of support, they will not be reflected in the best light. “A cyber attack should not be the end of a CEO’s career, providing they can demonstrate they have taken positive learnings that will be applied to their current and future roles,” he adds.

The ideal response 

It’s all very well and good analysing past incidents, but let’s make these learnings actionable – what does a good response look like? It can be broken down into three areas.

1.  Messaging: The speed, the integrity and the tone of public acknowledgement are essential. Be fast, be transparent, avoid cliches and stick to the facts.
2. Accountability: Acknowledging the impact on customers and clients is vital. Be candid about where the weakness was and own any failings.
3. Action: Take positive action as quickly as possible and relay that to customers. If a CEO is fortunate enough to have taken out cyber insurance, engage with the broker immediately to capitalise on their expertise, incident response and financial support.

Nather summarises her advice for CEO response as simply “Being prompt, honest, transparent and responsive — in other words, doing the right thing for the affected stakeholders and protecting the company’s reputation.”

The blame game 

In a past interview, Harding told Infosecurity Magazine that despite being “pushed to blame someone else” for the TalkTalk breach, “I just knew it was me. The chief executive is ultimately responsible,” she said.

CEOs who neglect to get their hands dirty regarding cybersecurity preparedness and understanding risk are less likely to weather the storm when an attack occurs and find themselves knee-deep in incident response.

Federspiel says that while the CEO hands over all responsibility for cybersecurity to the CISO, they remain ultimately accountable. He’s not alone in this theory, which is shared by many, including Nather, who states: “The best scenario is when the CEO is engaged on the topic of managing cybersecurity risk, but fully trusts and supports the CISO to handle as much responsibility as possible.”

“TalkTalk’s failure to implement the most basic cybersecurity measures allowed hackers to penetrate TalkTalk’s systems with ease. Yes, hacking is wrong, but that is not an excuse for companies to abdicate their security obligations” Elizabeth Denham, Former Information Commissioner 

“The CEO is responsible for the organisation achieving its strategic goals and therefore ultimately responsible for all key aspects,” adds Honan. “So while the CISO or the CIO may be responsible for their own individual areas, the CEO ensures they have the appropriate time, budgets, resources, and support to deliver.”

But what does the Board think?

The internal perception of blame is a different consideration altogether. There has been a significant change in how boards and NEDs view cyber risk and accountability over the past several years, and it is no longer seen as the sole responsibility of the IT function.

“Regulations, such as GDPR, NIS2, PCI DSS, and the increased adoption of cyber insurance has brought cyber into focus for the board and NEDs,” explains Honan. He adds that the high-profile coverage of ransomware attacks has reinforced the impact a successful cyber attack could have on a business. Nather agrees. “Boards and non-executive directors are finally moving to accept cybersecurity risk as a legitimate business risk. In the past, they might have acknowledged that it was some level of risk and might have agreed with the potential impact of an incident, but they would not agree on the probability of an incident happening. Now that cybersecurity incidents are more widespread and public, executives finally understand that the probability is higher than they thought. Therefore, the cyber risk ranks right up there with the other risks they manage daily.”

So it’s pretty much unanimous; the buck stops with the CEO. Bearing in mind that ultimately, the criminal behind the cyber incident is responsible and accountable, heads will still roll, particularly in the event of negligence. Given this undisputed opinion, it’s surprising that so many companies don’t directly engage with cyber upskilling and that there are CEOs that fail to arm themselves with the knowledge needed for cyber preparedness.

CEOs may not always be able to prevent an incident, but they can control their reaction to it, and the quality and speed of that reaction will make or break their career. Preparedness is the key to ensuring it will be the former.