alphaspirit - Fotolia

Manage Learn to apply best practices and optimize your operations.

Should one cybersecurity mistake mean the end of a CEO's career?

In one case, a tenured CEO made one cybersecurity mistake and was fired. Expert Mike O. Villegas discusses whether this sets a precedence for enterprises going forward.

Recently, the Austrian aircraft company FACC fired its CEO of 20 years because he fell victim to an online scam that cost the company over $50 million. Does the decision to fire a tenured CEO for one cybersecurity mistake set a precedent? Will other boards follow suit?

The Sarbanes-Oxley Act of 2002 came about after a series of well-publicized corporate frauds, such as Enron, WorldCom, Sunbeam, Xerox and Global Crossing. In all of these cases, corporate malfeasance led the Sarbanes-Oxley Act to impose financial and technical regulations for the purpose of improving the accuracy and reliability of financial reporting.

Some have viewed the Sarbanes-Oxley Act as a knee-jerk reaction to these fraudulent events, believing that the regulations are imposing and burdensome; however, cybersecurity professionals and systems auditors, who have historically found resistance in deploying even baseline controls, viewed it favorably.

In addition to improvements in the design and effectiveness of internal controls, the Sarbanes-Oxley Act requires CEOs and CFOs to certify the verity of their financial statements, for which they are personally liable. Since then, numerous highly publicized breaches, at companies such as Target, Home Depot, Sony, TalkTalk and, more recently, the Austrian aircraft parts company FACC, have resulted in the terminations of CEOs and other executives. But do these breaches establish a trend for future executive collateral damage for a cybersecurity mistake?

Executive termination for cybersecurity mistake

The precedent of CEO, CFO and executive tenure risk was set with the Sarbanes-Oxley Act, although few executive terminations have resulted due to noncompliance or inaccurate financial reporting. The recent breaches have resulted in executive terminations, not due to the Sarbanes-Oxley Act, as it applies strictly to public companies, but because the company needed to send a message to company stockholders.

The Payment Card Industry Data Security Standard requires that executives sign the Attestation of Compliance report, which states "All information within the above referenced ROC [Report of Compliance] and in this attestation fairly represents the results of my assessment in all material respects."

What we are seeing now is the role of the CEO and board members including a personal liability, which they need to take seriously. A cybersecurity mistake made by the CEO or CFO that results in tangible financial losses could make the CISO collateral damage, and could even make him a scapegoat for executive management.

CEO tenure is no longer at risk due to corporate malfeasance. CEO tenure is now at risk based on the effective control and protection of corporate assets.

This is not necessarily unreasonable. What it does do is put the onus on the CEO to ensure the right CISO is hired and that the proper protection is deployed. Cybersecurity is not just a necessary evil, cybersecurity is risk based, and accountability ultimately rests with the board.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Discover the effect of the Sarbanes-Oxley Act on corporate governance and IT operations

Learn what the Sarbanes-Oxley Act requirements are for social media

Check out five ways to prepare for a Sarbanes-Oxley Act audit

This was last published in December 2016

Dig Deeper on Data security breaches

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Do you agree that the CEO should've been fired in the FACC case, why or why not?
In many cases, an executive isn't fired due to "one" mistake. I can't speak for the example in the article. Often, the stories that make it to the news are examples of a cascade of errors, cover up, lack of reasonable effort, and blame that eventually lead to the one last error bringing down the entire house of cards.

For an executive to protect themselves, they must demonstrate they used good judgement, practiced due diligence, and made a "reasonable effort" to prevent errors. That, and potentially other effort, are what will protect one from being fired due to these issues.
Group Security Management is important as CEO alone can not perform all the security activites. However performance measures, management by metrics must be in place to avoid a loss of this magnitude. Line Manager must have been warned/let go instead of CEO.