Post-Breach, Red-Faced CEOs: You’re Fired

Cyber incidents can define a CEO’s career, as can a blush-worthy security faux pas that captures the attention of their board, the media or even the FTC. Phil Muncaster investigates

For many years, cybersecurity has been regarded as something of a black box for business executives. The prevailing thinking has been to let the CIO or the CISO worry about it as a purely technology-related challenge.  However, that thinking is starting to change at the top as more CEOs are forced to fall on their sword before customers and shareholders.

American businessman Warren Buffet once said, “It takes 20 years to build a reputation and five minutes to ruin it.” Business leaders might want to consider those wise words as they reappraise their relationship with and responsibility for cyber.

The fallen

Cyber risk is a critical business risk. While everything is going well, however, there may be a temptation from the top to pay little more than lip service to such matters. Research reveals that 69% of business and tech leaders believe cybersecurity is either mostly or entirely a technology area with little relevance to the business. This kind of myopia can have disastrous results for CEOs.

Take the Target breach of 2013. Threat actors took advantage of multiple points of failure – including a third-party supplier whose access credentials were compromised and an improperly segmented network which allowed the hackers to jump easily from a vendor portal to reach Target customer data. Does “improperly segmented network” mean anything to you? It doesn’t matter either way; in short, cyber criminals accessed Target data.

Some 40 million payment cards and 70 million customer records were compromised. The total cost to Target exceeded $200m (£167m) and the retailer had to work hard to win back public trust following the incident. CEO Gregg Steinhafel resigned several months later. Although he received a healthy severance package, Steinhafel has been unable to secure any other top jobs with big-name companies in the decade following the incident.

Next, let’s consider the Equifax breach of 2017 – one of the biggest of all time. Chinese hackers stole data on 145 million customers, including highly sensitive details like social security numbers. The embarrassingly simple route cause was a failure to patch a widely known vulnerability. That open door then allowed the hackers to exploit multiple other security failings. It took Equifax over a month to send breach notifications, during which time it transpired that some executives cunningly sold off their shares.

“It took Equifax over a month to send breach notifications, during which time it transpired that some executives cunningly sold off their shares.”

The post-incident response was also a mess. Equifax set up a special but insecure domain (arguably not very special at all), ‘equifaxsecurity2017.com’, to handle customer breach queries. However, many thought it was a phishing scam. Some Equifax staff even misdirected customers to a lookalike but incorrect domain.

Equifax said post-breach costs hit $1.4bn, and financial research firm Moody’s even downgraded its rating outlook – the first time such action had been taken due to cybersecurity concerns. Equifax subsequently reached a settlement of up to $700m with the FTC. Chairman and CEO, Richard Smith, issued a squirming public apology via video but was subsequently forced into early retirement.

Finally, let’s look at the cautionary tale of TalkTalk’s 2015 data breach. A cyber attack on unpatched legacy systems was enough to compromise the UK ISP, compromising the data of around 150,000 customers and costing the company tens of millions of pounds. Its incident response was a shocking case study on how not to respond to a serious cybersecurity breach. Statements from the firm were described as “technically incoherent”, as TalkTalk was called out for using incorrect terminology, for example, blaming the breach on a DDoS attack – a type of cyber attack which does not involve the theft of data. Cringe-worthy stuff.

CEO Dido Harding went in front of the media before the firm had worked out what happened. She couldn’t even say if the customer data that was stolen had been encrypted or not. In the absence of credible information from the firm, rumours spread as to the identity of the hackers, while fraudsters jumped in, using the incident to try and defraud customers.

“If you’re going to put your CEO in front of media to talk about a cyber breach, make sure they have the facts they need, and understand what security was in place. Harding appeared to be badly prepared or briefed, and she lost credibility,” argues Kate Hartley, co-founder of crisis comms agency Polpeo.

“If the CEO doesn’t understand security, that sets the tone for the rest of the organisation,” she tells Assured Intelligence.

“If you’re going to put your CEO in front of media to talk about a cyber breach, make sure they have the facts they need, and understand what security was in place.” Kate Hartley

Harding claimed the breach and its fallout were irrelevant to her decision to resign months later. The Tory peer has subsequently taken on several high-profile roles at the NHS under the Conservative government but is yet to occupy any in the private sector. Ironically, she appeared at Infosecurity Europe years later to argue that CEOs should spend more time with the “young stars” of their security teams to learn about risk.

A whaley big problem

CEOs haven’t just been left red-faced because of serious security breaches that occurred on their watch. Increasingly they’re being personally targeted. CEO fraud, or “whaling” as it’s known in the cybersecurity industry (think phishing, but catching a really big one…see what they did there?), is a type of business email attack in which an employee is tricked into wiring corporate funds to an account under the control of the attacker. The latter often impersonates a CEO to do so.

In one incident, Austrian aerospace company FACC lost €42m (£37m) after an employee was tricked by a fraudster masquerading as CEO, Walter Stephan. The board subsequently fired him, claiming he had “severely violated his duties”. Exactly how is unclear, although it may have been related to how the fraudsters compromised his email account in the lead-up to the scam. We speculate…

In a separate incident, the CEO of an unnamed UK-based energy company personally authorised a transfer of €220,000 (£193,000) after a phone conversation with a person he believed to be his German boss. However, it was not his boss but an artificial intelligence (AI) simulacrum known as a deepfake. It’s unclear whether the red-faced CEO kept their job or not.

What is clear is that regulators are taking note as cyber becomes an ever more critical source of business risk. In 2022 the US Securities and Exchange Commission (SEC) published new proposals which would require more granular reporting of cybersecurity incidents, corporate policies and procedures to manage cyber risk, as well as disclosures about the level of cybersecurity expertise on the board.

Separately, the Federal Trade Commission (FTC) took unprecedented action last October against Drizly CEO, James Cory Rellas, over his alleged failings related to a breach of two and a half million customer records. Such was the neglect of basic security best practice at the firm that the order compels Rellas to implement an FTC-approved security programme at any future company he might move to as CEO or owner.

“CEOs who take shortcuts on security should take note,” warned Samuel Levine, director of the FTC’s Bureau of Consumer Protection.

Fail to prepare and prepare to fail

Back in 2020, Gartner predicted that by 2023, 75% of CEOs could be held liable for data breaches if incidents are tied to a lack of sufficient investment or focus. So what can business leaders do to preserve their reputation and the company’s bottom line?

Part of it comes down to creating the right culture – one where cybersecurity is baked into every conversation and every product and service offering by design.

“Security is a culture issue, not just an IT issue,” argues Polpeo’s Hartley. “Every single employee should understand their role in keeping the business secure. Every leader should be able to talk competently about security. Security should be on every board meeting agenda.”

Another critical understanding is that even the best cyber defence may not prevent a breach. That’s where effective incident response comes in, according to Alexandros Papadopoulos, director of incident response consulting at Secureworks. Investing in cyber insurance gives many executives the confidence that they have the very best experts and incident response partners in their corner should the worst happen.

“The market and stakeholders will not look favourably on an organisation or CEO that has failed to prepare. Knowing what to do when a cyber breach happens is key. This means having the right tools in place to quickly and easily understand the blast radius of a breach,” he tells Assured Intelligence.

“Having pre-existing access to senior advisers you can trust, who have experience in dealing with such incidents and do not have their own agenda, is also vital. Finally, you need to practice and operationalise your incident response plan. Otherwise, when something happens, the plan goes out the window, the team goes on gut feel, and mistakes are made.”

Beyond building the right culture, there’s plenty CEOs can be doing themselves to minimise the personal and professional repercussions of a breach, says Polpeo’s Hartley.

“Understand the facts of what’s happened. In the early stages of an attack, you may not know what’s caused it or who’s responsible, or how many people have been affected, but you can talk competently about what you’re doing to find out those things,” she explains.

“Above all, communicate with empathy. And remember: a cyber-attack could define your career as a CEO.”