UK Parliamentary Committee Wish To Penalise CEOs for Cyber Breaches (£)
The UK’s Parliamentary Culture, Media and Sports Committee has recently made recommendations to significantly enhance penalties for CEOs (Chief Executives Officers) who fail to respond, believe IT is dealing with and ignore timely reports about hacking and data breaches.
The recommendations from the Committee also includes connecting a CEO’s bonus and salary to the effectiveness of their companies’ cybersecurity programs. This comes after the results of last year’s data breach at such organisations as TalkTalk and UK Telecom which will probably affect much more than the one million customers whose data was compromised.
The Committee recommends heavier penalties for cyber criminals but, they also say that it is important to have penalties for the business as a whole and in particular CEOs compensation when it becomes obvious that they have not significantly focused on the Cyber security area.
The Committee believes that far more focused planning and actions should now be continually undertaken by all organisations to reduce the cyber-attack effects. To give an example the Committee in section 14 of the Report states:
14.We believe it is essential to increase customer awareness of on-line and telephone fraud and scams, but consumers also have a responsibility to protect themselves on line.
There needs to be a step change in consumer awareness of on-line and telephone scams. The Government should initiate a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing. All relevant companies should provide well-publicised guidance to existing and new customers on how they will contact customers and how to make contact to verify that communications from the company are genuine. This verification mechanism should be clearly signposted and readily accessible, as with existing customer contact and complaints mechanisms.
The Information Commissioner should check that data controllers have put easy-to-use verification guidance and measures in place. We think that these recommendations should apply not only to the telecommunications sector but also more widely to all who hold customer personal data.
"Failure to prepare for or learn from cyberattacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent." Committee Chairman Jesse Norman said in a statement.
The Report on point 20 also discussed the depth of understanding that organisations will require:
20. Although TalkTalk had run various business continuity exercises, including potential risks like cyber-breaches, TalkTalk had not exercised and planned on how to handle a cyber-attack on this scale.
In the 2016 Cyber Breach Survey for DCMS, it was striking that only 29% of companies had formal written cyber-security policies, and on average 10% of companies surveyed had a cyber-incident management plan, although 42% of large companies did have one.
Other submissions stressed the importance of “scenario-exercising to build organisational and national resilience”33 and BT saw testing and monitoring as an “essential part” of doing business in the digital economy.
In written evidence, TechUK emphasised the importance of managing communications with customers, pointing out that an email after a breach can give cyber-criminals “an opportunity to spoof the affected company and dupe customers.”
In major organisations, where the risks of attack are significant, the person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach.
On point 25 the Report also emphasizes that it should now be easier for consumer to claim data breach compensation. They recommend that Citizens Advice Bureau, the ICO (Information Commissioner’s Office), and Police Victim Support Units should now provide advice to the consumer and that the Law Society should also provide guidance to its members to assist people seeking compensation after a cyber-attack.
With section 33 the Report recognises the work and responsibility that TalkTalk took on and their connection with the Metropolitan Police:
33. We welcome the close collaboration that TalkTalk established with the Metropolitan Police immediately after the October 2015 cyber-attack.57 We recognise that the TalkTalk Board decided to notify all customers potentially affected, and subsequently established that the number actually affected was much smaller.
However, the tension between police investigation priorities and informing those affected may be further complicated by situations where it may take weeks or months from finding evidence of a possible breach (e.g. customers being contacted by fraudsters) to finding the source of the breach (in the organisation or its supply chain).
The ICO and Cyber Essentials should publish further guidance on informing the relevant authorities and include best-practice examples of how to inform in an appropriate way those affected, in order to strike the best possible balance between protecting information that is sensitive to police investigations, whilst recognising consumer/customer requirements to be made aware of a breach that may affect them. This is particularly relevant as the EU GDPR will extend the obligation to inform consumers to all companies and organisation, not just telecommunications companies and ISPs.
In Section 38 the Committee states that the digital economy is essential to the UK economy (and certainly we would say, more so, since Brexit). This section goes on to state:
Companies and other organisations need to demonstrate not just how much they are spending to improve their security but that they are spending it effectively. We therefore recommend that organisations holding large amounts of personal data (on staff, customers, patients, taxpayers etc.) should report annually to the ICO on:
i)Staff cyber-awareness training
ii)When their security processes were last audited, by whom and to what standard(s)
iii)Whether they have an incident management plan in place and when it was last tested
iv)What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine
v)The number of enquiries they process from customers to verify authenticity of communications
vi)The number of attacks of which they are aware and whether any were successful (i.e. actual breaches)
Such reporting should be designed to help ensure more proactive monitoring of security processes (both people and cyber) at Board level, rather than reporting breaches after they have happened. Those submitting reports should also be encouraged to include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place.
The Committee report includes proposals to strengthen sanctions available to the (“ICO”), England’s data protection regulator. Although the ICO may already levy fines of up to £500,000, the Committee felt the maximum penalty “may not be a significant deterrent for a large company.”
The Committee promotes the implementation of fines that significantly increase where a cyber-breach is set off because of a company's lack of attention to threats and vulnerabilities, particularly those which have led to previous breaches, or a company’s failure to implement security by design principles to combat cyber risks.
The Committee certainly believes that current executives should take far more responsibility and have a more active role in cybersecurity and that businesses holding a lot of consumer data should be required to report annually on their cybersecurity and data protection programs.
In focusing on a CEO’s role in cyber preparedness, the Committee noted that operational and technical implementation of cyber programs generally lies with a CIO, CISO, or Privacy Officer, but “ultimate responsibility” stays with the organization’s CEO.
Other recent events that suggest support to the Committee’s findings
The head of FACC's board Walter Stephan, CEO of the Boeing and Airbus supplier, was recently dismissed due to errors he made in a “president fraud incident” that the firm discovered in January 2016.
Hack attackers tricked FACC financial controllers into wiring €52.8m to fraudsters during what appears to be several transactions. The company was able to catch €10.9m of the funds at other banks however, €41.9m was stolen. This created an operating loss of €23.4 million.
Hackers probably established a fake email address to apparently become the CEO and then convince a in the finance department to wire funds to an overseas account under the pretense it is due to a known supplier. The FBI has warned that fraudsters target firms with international suppliers.
This appears to be along the lines of what happened to the firm.
Stephan told shareholders, “The fraud did not take place via our Internet or IT system but by means of a simulated email correspondence under my name, which does not require any hacking.”
In February FACC sacked its chief financial officer, noting that the fraudsters had targeted the financial accounting department. The company had not identified malware related to the fraud and said it was pursuing damages and insurance claims.
US toy maker Mattel recently revealed a narrow escape from a CEO email fraud campaign after a financial officer was duped into wired $3m to a bank in China. Mattel was able to put a halt on the transfer and recovered the funds.