CEO Pay Should Be Linked to Cyber Defenses, Say UK MPs

MPs have recommended sweeping changes to the way the UK deals with cybercrime, from defenses to punishment.

Among the changes suggested in the Culture, Media and Sport select committee report are two-year custodial sentences for anyone convicted of cyber offences, fines for businesses that fail to adequately defend themselves from cyber-attacks, and CEO pay that is linked to the quality of the organization’s cyber defenses.

The report has emerged as a result of the inquiry into the October 2015 hack of mobile company TalkTalk, which exposed personal information relating to over 150,000 customers. However, the report makes clear the scope is far wider than that one incident.

“Although the TalkTalk cyber-attack in October 2015 was the trigger for this inquiry, it is essential to put this attack in context. Cybercrime is a significant and growing problem and affects all sectors with an online platform or service,” the report said.

Perhaps one of the largest and most significant recommendations is that every company that handles large amounts of personal data, whether it’s staff or customers, should report annually to the ICO on: “Staff cyber-awareness training; when their security processes were last audited, by whom and to what standard(s); whether they have an incident management plan in place and when it was last tested; what guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine; the number of enquiries they process from customers to verify authenticity of communications; and the number of attacks of which they are aware and whether any were successful (i.e. actual breaches).”

Additionally, escalating fines should be introduced for delays or failures to report a breach, MPs said. Escalating fines could also be introduced, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.

So, “a data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine,” the report said.

While ultimately a CEO is responsible in the event of a significant cyber-attack, the report recommends that organizations have someone in place who is responsible for cybersecurity on a day to day basis, who can be sanctioned if cyber defenses are deemed too weak.

Interestingly, the report also recommends that, “a portion of CEO compensation should be linked to effective cyber security.” This will hopefully mean CEOs pay attention to cyber risks before any potential crisis occurs.

Other improvements recommended in the report include making it easier for victims to claim compensation. This means the likes of Citizens Advice Bureau, ICO and police victim support units helping customers with the process of claiming compensation.

“It would be useful for the Law Society to provide guidance to its members on assisting individuals to seek compensation following a data breach. The ICO should assess if adequate redress is being provided by the small claims process,” the report added.

Finally, the report suggested that current ICO fines of £500,000 may not be a significant deterrent to big organizations, but the incoming European General Data Protection Regulation should change that.

What’s Hot on Infosecurity Magazine?