The Cyber-Threat Risk - Oversight Guidance for CEOs and Boards
T
HE TIME HAS come for CEOs and Boards to
take personal responsibility for improving their
companies’ cyber security. Global payment systems,
private customer data, critical control systems, and
core intellectual property are all at risk today. As cyber
criminals step up their game, government regulators
get more involved, litigators and courts wade in
deeper, and the public learns more about cyber risks,
corporate leaders will have to step up accordingly.
Sameer Bhalotra
Former White House Senior Director for Cybersecurity
1
LogRhythm
The Cyber-Threat Risk - Oversight Guidance for CEOs and Boards
Introduction
At the height of the critically important holiday
shopping season in 2013, one of North America’s
largest merchants suffered a major data breach.
Cyber thieves surreptitiously compromised pointof-sale (POS) systems and stole the payment
card data of 40 million customers, along with
non-payment personal data of another 70 million
customers.1 In terms of the amount of sensitive
information stolen, this was among the largest
known data breaches in history.
The fallout from this event was swift and
sobering. The company’s shares initially plunged
11% following the announcement of the breach.
Sales fell 3.8% as the number of transactions
dropped 5.5% during the crucial holiday season.2
Q1 2014 earnings dropped 16%.3 By the second
quarter of 2014, the company reported net pretax data breach expenses of $129 million, or 13
cents per share—and that was just the beginning.4
Even now, expenses continue to mount as the
company prepares for class action and other
lawsuits while paying for credit monitoring for
tens of millions of customers.
CEOs need to elevate the importance
of cyber security and be more
directly involved in setting the level of
acceptable risk.
The data theft and the ensuing loss of confidence
took a toll on the company’s executive ranks.
The CIO resigned three months after the breach
announcement, and the CEO lost his job three
months later, due in part to the disastrous effects
of the breach. Institutional Shareholder Services
urged shareholders to vote out the directors who
served on the audit and corporate responsibility
committees, claiming that the committee
members’ failure to ensure appropriate
management of these risks set the stage for the
data breach that resulted in significant losses to
the company and its shareholders.5
This particular breach is being felt far beyond
the company at the heart of it. Banks and credit
unions have spent more than $200 million
to date replacing credit and debit cards for
consumers whose accounts were compromised.
This single breach alone affected 10% of the
debit and credit card customers of every bank
and credit union in the U.S.6 While consumers
aren’t directly liable for any financial losses due
to fraud that results from this event, the financial
institutions that typically absorb credit card
fraud are likely to sue the victimized merchant to
recover breach-related costs.
Beyond this singular event, recent breaches
of some of the largest financial institutions in
the U.S. are garnering attention at the highest
levels of government. President Obama and his
top national security advisors have received
briefings on the cyber attacks on JP Morgan
Chase and nine other financial companies.
Corporate executives with those financial
institutions are expected to cooperate with the
U.S. Secret Service as the agency explores the
details of the breaches in search of the criminal
actors and their motives.
These and other attacks headlining business
news reports demonstrate the imperative for
CEO and Board level involvement in IT security.
CEOs need to elevate the importance of cyber
security and be more directly involved in
setting the level of acceptable risk. The state
of an organization’s IT security posture is too
important to be fully delegated to the CIO and
CISO and then disregarded at the CEO level. A
serious cyber attack can have a material adverse
effect on a company’s financial well being, and
this places cyber security into the category of
a business risk that warrants CEO and Board
attention.
Brian Krebs, "The Target breach, by the numbers," May 14, 2014
Paul Ziobro, "Target Earnings Slide 46% After Data Breach," The Wall Street Journal, updated February 26, 2014
3
James Covert, "Target data crisis haunts Q1 earnings, with 16% drop," New York Post, May 21, 2014
4
Press release, "Target Reports Second Quarter 2014 Earnings," August 20, 2014
5
Paul Ziobro, "ISS urges overhaul of Target board after data breach," The Wall Street Journal, May 28, 2014
6
A letter to the U.S. Senate from William Hughes, Senior Vice President, Government Affairs, Retail Industry Leaders Association,
February 3, 2014
1
2
2
LogRhythm
Please complete the form to gain access to this content