CEOs who don’t work in the telecoms or IT sectors may not have paid much attention to the Culture, Media and Sport Committee’s investigation into cybersecurity, which was triggered by last October’s cyber-attack on TalkTalk. That might be a mistake.
The Committee’s report, published on17 June, concludes with two recommendations that have critical implications for anyone who leads an enterprise and has legal responsibility for its behavior – whether that enterprise is private or public, large or small.
First, it suggests that a portion of CEO compensation should be linked to effective cybersecurity. To quote: “To ensure this issue [cybersecurity] receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cybersecurity, in a way to be decided by the Board”. How that will be implemented will no doubt give endless hours of entertainment to remuneration committees and provide lawyers with yet another lucrative revenue stream.
This on its own should surely be a wake-up call. However, it is followed by a second recommendation that for me has even more significant implications. “We concur with the ICO (Information Commissioner’s Office) that, whilst the implementation of the EU GDPR (General Data Protection Regulation, which comes into force in 2018) will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.”
So enterprise executives will not only lose money if they are judged not to have ensured the necessary cyber security, they may also go to jail.
Some may think this is rather extreme. But cyber-crime is a growing risk – whatever size of business you run – as the report points out. According to the Federation of Small Businesses (FSB), a third of their members have been the subject of cyber-crime, while a 2015 survey carried out by PwC on behalf of the Department for Business, Innovation and Skills found that 90% of large organizations had experienced a security breach.
Executives balance risk and reward all the time. It’s what they get paid for. Some may choose not to give this particular risk much attention. They assume that the risk of a cyber-attack is negligible, and so the issue is well down their business agenda (if on it at all), with cybersecurity barely recognizable in the annual budget. So the Committee has come up with a novel way of bringing it to their attention.
All businesses know and accept that at any time HMRC may demand to inspect their accounts to ensure they are paying the right amount of tax and VAT. So we keep our books accurate and up to date, and take into consideration all the relevant legislation.
Now put that into a cybersecurity context. Before too long, the ICO could be knocking on your door to check your business systems are compliant with his definition of security. Also you’ll have to let him in! The committee’s report says: “At present, the ICO has limited powers of non-consensual audit......the ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors.”
One final point. The TalkTalk incident was about customer records being hacked. The personal details – including bank account information – of tens of thousands of customers disappeared into the ether to be shared and abused by heaven knows who. So doubtless the diligent CEO, with an eye for his or her income and liberty, will now be asking some searching questions about IT security and listening with additional sympathy to their CIO’s pleas for more cash to improve it.