You’ll often hear the same old spiel from companies who’ve just been hit by hackers. “We take security seriously,” they say. “We’ll offer you credit protection.”
What you rarely hear is the sound of the door hitting the company’s boss on the way out of the executive suite.
The average corporate cost of a data breach in the US is a little over $7 million, according to a recent Ponemon study. A new day, a new hack, and little changes. Companies offer their apologies, they swallow a fine or two, and move on.
But don’t expect any fines to come out of the chief executive’s pay.
It’s the customers who have to get new credit cards, change their passwords, and worry about identity theft, fraud, or a ding to their credit.
A look back at the annual wage packets of chief executives suggests a stark contrast between the responsibility they bear for breaches and the sums that they take home. The chief executives of companies that have been hacked rarely (if at all) face financial scrutiny for their part.
In a spot-check of the largest hacks that happened in recent years, it’s not uncommon for executive pay to go up in the wake of a data breach.
Things blew up this week when Dido Harding, the chief executive of TalkTalk, a British internet and phone provider, saw her pay packet almost triple in size in the wake of a devastating hack, in which hackers stole personal information on four-million customers. Harding’s paycheck scaled to about £2.81 million ($4.12m) thanks to a cash bonus and a payout as part of the company’s long-term incentive plan (LTIP) between 2012 and 2015 — both figures were half of the maximum amount she could receive under her contract.
Harding later said the bonus would be donated to charity. Nevertheless, any cash bonus issued in the wake of a massive hack is a slap in the face to customers who suffered as a result of the company’s poor lack of foresight.
Why wasn’t Harding fired — or at very least, why was she rewarded? The reality is that it’s rare for a chief executive to face the falling sword of Damocles in the wake of such a security snafu.
The UK parliamentary committee investigating the breach said in a damning report published last week that a “portion of CEO compensation should be linked to effective cybersecurity” and that companies should appoint a chief information (or security) officer.
The committee also noted that the UK privacy watchdog can only fine a company up to £1,000 ($1,460) for a data breach.
Every hacked company will takes a reputational hit — a battering in the media, or maybe a slap on the wrist from a regulator.
In almost every major data breach, a company’s chief executive keeps their scalp so long as the financial hit doesn’t outweigh growth, investment and — crucially of all — sales. In most cases, breaches barely wobble a company’s stock price — though TalkTalk seems to be the exception to that rule.
Security only seems to matter to chief executives when it begins to harm sales. But given the possible detriment to the customer — risks to credit, identity theft, and fraud — it’s inexcusable for executives to take millions in bonuses, and cash in on long-term investment schemes while customers pay for a company’s lack of security diligence.
Nothing would change the dynamics of cybersecurity more than if an executive personally lost money for each and every customer record that was stolen.