Photo: Scott Olson/Getty Images
When a company is hacked, it isn’t just security and technology executives who could lose their jobs. Major attacks over the past several years show that even chief executives can be vulnerable.
While it is still a rare outcome, cyberattacks can wound the careers of chief executives.
Since 2014, top leaders at Equifax Inc., retailer Target Corp. and movie producer Sony Pictures Entertainment Inc. have either resigned or been fired in the wake of prominent cyber incidents.
Equifax’s chief executive resigned from the company following its 2017 data breach, as did Target’s chief executive in 2014. At Sony, the co-chair of the business stepped down from that role after embarrassing emails were publicly leaked by hackers, but she stayed on at the company.
To be sure, the burden of responsibility for successful hacks still falls largely on chief information and security officers, rather than chief executives. But experts say the issue of cybersecurity is now front-and-center for the seniormost corporate ranks.
“Almost every CEO we talk to, the words that come out of their mouth are, ‘I lose sleep and our board loses sleep every night due to the fact that we could be compromised’,” said Michael Piacente, co-founder and managing partner at Hitch Partners, a recruiting firm focused on cybersecurity professionals.
That is partly because the fallout of a breach can stretch beyond legal concerns to the very viability of a business, said Brenda Sharton, litigation partner and global chair of the privacy and cybersecurity practice at law firm Goodwin Procter LLP.
“They have to be focused on it from a legal standpoint and because of the legal risks,” she said. “But the reality is they’re focused on it more and more because it’s the biggest threat to their companies.”
Some lawmakers want to make chief executives more accountable for cyber mishaps. Last year, Sen. Elizabeth Warren (D., Mass.) introduced the Corporate Executive Accountability Act, which would impose financial penalties and prison sentences on executives. A summary accompanying the bill referred to the Equifax incident, saying the act would make it easier “to send executives to jail for serious crimes by expanding criminal liability to negligent executives of corporations with more than $1 billion in annual revenue.” No action has been taken on the legislation.
In heavily regulated industries such as the financial sector, chief executives and other officers often have extensive accountability for various business areas. The Senior Managers and Certification Regime in the U.K., for instance, designates responsibility for specific areas to executives who can face personal liability if something goes wrong on their watch.
Cybersecurity, however, is a unique area of risk, said Ms. Sharton. Senior corporate executives don’t often come from information security backgrounds and can’t be expected to be experts in the field, she said. Furthermore, the cunning of some hackers means that blame can’t simply be laid at the feet of the chief executive, she said, particularly if a company followed best practices before an attack.
“Frankly, some companies with state-of-the-art information security get attacked by sophisticated threat actors, and there’s nothing they could have done,” she said. “Look, even the government gets attacked and hacked.”
The blending of physical and digital security in critical infrastructure and manufacturing raises the possibility of attacks so damaging that people’s lives could be lost, said Katell Thielemann, an analyst at Gartner Inc. As a result, chief executives’ personal liability will increase, she said.
Gartner predicts that by 2024, around three-quarters of chief executives could be personally liable for cyber incidents that result in physical harm to people or the environment.
Attackers could interfere with a robotic arm on a production line or an autonomous vehicle on a street, causing people to die, she said. Or a hacked drone could set off an environmental disaster.
“There’s going to be no appetite to let that slide,” Ms. Thielemann said.