In early September, Australian -based Kentas Airways board voted to punish CEO Vanessa Hudson and other top officials 30 June cyber event This individually revealed identifying information About 6 million passengersCut of $ 800,000 (US $ 522,000) from their bonus.
Last time it was publicly known that a board had stopped compensation from a CEO for cyber security violation, when in 2017, Yahoo’s board denied CEO Marissa Mayor The wrong way of many violations of many violations exposing more than 1 billion users’ individual information.
If the Quantus Board has estimated a new era of placing a financially accountable CEO for cyber security, it would represent a welcome change for Sisos, saying experts.
“When the board punished the CEO and the executive team financially, it reflected the understanding of a new reality of the board that cyber security is now so important that it is the common responsibility of all leadership,” Joe SulivanA former Uber Siso who was controversial Closed for obstruction and other allegations The CSO tells that the ride-having belongs to a violation of the giant.
“This example is only the latest in cases where the accountability has moved to the highest level of organizations,” says Sulivan. “Believe me, this voluntary action of the board has given a lot of attention to the security community and has given a lot of positive praise. It was a matter in the security programs of the city that I included in both London and San Francisco.”
Increasing legal action and regulation also transferred accountability to CEOs
Docking CEO Pay, at least publicly, is a rare step for corporate boards, especially when it comes to cyber security incidents. In a statement, Quantus Board said“Despite the strong (financial) performance, the board decided to reduce the annual bonus by 15 per cent marks as a result of the impact of cyber phenomenon on our customers. It shows their shared accountability to support the ongoing efforts to support customers and keep additional security for customers.”
Qantas chairperson John Mulene stressed that the CEO and management quickly responded to help the customers, but the board felt that the incident was serious and financially qualified, possibly serving as a solid reminder that the CEO should pay close attention to the often-ovary state of its organizations.
Qantas decides between government agencies and regulators, which increase the legal punishment for the CEO after violations.
In 2022, for example, American Federal Trade Commission Organized James RailusThe CEO of the Alcohol delivery service, now a part of the Uber Eats, is personally responsible for the company’s failure to implement and apply appropriate information safety practices, which led to a data violation, which exposed the personal information of 2.5 million consumers.
Under New rules Adopted by the US Securities and Exchange Commission (SEC) in 2023, CEOs and CFOs face significant individual and commercial punishment, which capable of putting genes on these leaders about Overseas, reports, reports, reports or fail to fail to make an accurate disclosure, which can be in millions of dollars.
At the US state level, data violation law like California Consumer Privacy Act and New York Shield Act impose Direct accountability on CEO for cyber security regime and violation response. In EUUnder the NIS2 (Network and Information System Instructions 2) and Dora (Digital Operational Regulation Act), CEO can be held personally responsible and comes in contact with significant punishment for breaking cyber security rules.
“What you are definitely seeing is a scenario that is going to see more of this type of CEO legal liabilities more instead of low,” Martin TalleyLaw firm tells the partner in Redgrav LLP, CSO. “We are definitely looking at a regulatory environment that continues to continue the spotlight on high-level authorities. It is a responsibility that needs to be taken seriously of the organization’s highest levels.”
Paul MePartner in Management Consulting firm Oliverwin thinks that data violations can be very hidden C-suits results that the public never sees. “Whether you are removed or whether you are not promoted or you get retirement quickly, all these can be the results that do not always appear,” he tells the CSO. “The media does not always have salty articles that say,” Hey, you were thrown behind it. ” There are more subtle ways to do this.
What should CISOS and CEO do now?
Sisos, historically, should focus on this emerging tendency to violates violated and malicious cyber phenomena. “Be aware of the environment and expectations today, and where they are leading,” says Redgravs Tully. “Try to get out in front of it. You need to work with your board and your executive team to take these things very seriously.”
And, rapid losses on companies in the form of ransomware attacks and cyber phenomena are increasing, outside investors are starting to demand more accountability from CEOs. “Companies who are providing venture capital or acquiring a lot of acquisition are now looking at proper hard work on cyber and privacy, which are almost the same level at the same level of financial constraints due to increasing importance,” Tully says.
For the CEO, they need to work more closely with their boards to plug out the organization’s data violations and the event response. “The board needs to be drilled, practiced, and find out about the risk so that when this happens, they have muscle memory and communication ability to deal with it,” says Oliverinee’s Me. “Because without it, it is going to deteriorate rapidly.”
The board, for its share, are coming quickly to the learning state. “Rapidly, the boards take it seriously,” calls me. “I interact with a lot of boards. Cyber security is a top-three item continuously. AI is probably at the top of the list for boards. But cyber security is very important and has gained more visibility in front of boards than ever.”
As the CEOs and the boards move forward, it should be clear that the data stops with the Breach Deer CEO and not with the CISO and their security teams. “In the past, you have put a huge burden of safety and de-rash on a person, which may have been cut with a separate cloth and may not even have the power, impact, and the ability of governance to influence the necessary changes for safety,” says Mi.
Sulivan says, “No security team in itself can protect a company from the attackers, as the company’s culture, risk tolerance, and investment in safe systems are collectively defined by the CEO.”
