Time to tell CEOs to put their money where their mouths are when it comes to cybersecurity
With data breaches now occurring at an alarming rate, organizations across all sectors are scrambling to improve their security in order to avoid getting hit with massive damage control bills.
Just ask Equifax.
The consumer credit rating agency is expected to incur a $439 million cost this year, following the 2017 data breach that exposed the personal details of approximately 146 million consumers, making it one of the most expensive cyber-attacks in corporate history.
While this recent estimate does not include fees related to Equifax’s ongoing investigations – or subsequent litigation – the recovery of the company’s share price in bulk has brought responsibility into question and left consumers uncertain that their information will be taken seriously going forward.
But with the size of data breaches experiencing a 1.8% increase across the globe, according to a 2017 report by Ponemon Institute, the majority of organizations are now focused on improving security where, it is generally believed, every employee should maintain some form of duty in cyberattack prevention.
In the Equifax case, however, blame for failing to act on a known software vulnerability fell upon one solitary IT employee.
“The human error was that the individual who’s responsible for communicating in the organization to apply the patch, did not,” former Equifax CEO Richard Smith told the US House Energy and Commerce Committee in October.
Smith’s “humbling” apology, unsurprisingly, fell short when the 57-year-old executive went into early retirement just over a week after penning his remorse in USA Today – taking with him nearly $70 million in stock profit on top of his compensation.
“Saying ‘trust us’ and providing a list of protocols is not enough,” said Jonas Kron, vice president of Trillium Asset Management, speaking on behalf of Verizon shareholders who are now calling for greater repercussions when consumer data is compromised.
Verizon has had numerous of its own data breaches, including in July 2017, when six million of its customer records were exposed online through a security lapse on the server of Nice Systems, a Verizon partner. The company also attributed the error to an individual employee, CNBC reported.
“We want Verizon executives to put money where their mouths are and to adopt accountability mechanisms that link compensation to security and privacy performance,” said Kron.
In a proposal set to be presented at a Verizon meeting in May, shareholders want executive compensation to be tied directly to the company’s cybersecurity performance.
Putting a price on cyber risk management, the proposal states, is something that the telecommunications conglomerate should be familiar with after last year it acquired Yahoo! for $350 million less than was initially proposed. This was due to massive data breaches in both September and December 2016 that had left the web service provider badly damaged.
“We feel like we have enough clarity that we can put parameters around the risk here and negotiate a deal that effectively compensates us for the risk,” Verizon said before closing the takeover.
With executive compensation already driven by a formula of earnings per share and revenue, representatives of Verizon shareholders, including the non-profit Park Foundation, thinks data privacy must play a crucial role.
“The only way Verizon will take this issue seriously is if the leadership at the top of the company see real personal consequences for failing to do so,” said the Park Foundation’s executive director, Jon Jensen.
“Verizon has the ability to create state-of-the-art security and privacy protection. It owes that to its customers and shareholders.”
The proposal notes that the enforcement initiatives recently brought forward by the US Securities and Exchange Commission (SEC) does little to ensure that companies do all that they can to protect consumer safety in the aftermath of any cyberattack.
Yet the potential failings of the SEC could be circumvented with another motion currently before Congress that seeks to impose large penalties on credit reporting agencies, like Equifax, that forgo protecting consumer data.
Introduced earlier this year by US Senators Mark Warner and Elizabeth Warner, the Data Breach Prevention and Compensation Act would require a payment of at least $100 for every customer who has their information compromised.
The Act has, so far, been widely supported by consumer rights groups but the similar, largely unpopular, legislation brought forward before it, such as the Data Security and Breach Notification Act, could mean that federal standards for corporate accountability are a long way off.