• United States




Data breaches often result in CEO firing

Mar 07, 20167 mins
CareersComplianceCSO and CISO

A cautionary tale of how cyber security failures can cost a CEO their job.

What are the real world risks of a cyber security breach to CEOs and their company? We will explore the issues of reputational damage, incident cost, stock price impact, and increased regulatory attention. We will also discuss the fate of four CEOs who have faced cybersecurity breaches in the past three years.

According to Warren Buffet, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.” The “2015 Cost of Data Breach Study: Global Analysis” from the Ponemon Institute shows that companies suffer a higher churn rate, increased customer acquisition costs, reputation losses and diminished goodwill due to an information security breach.

The 2015 Information Security Breaches Survey, conducted by PwC states. “When asked what made a particular incident ‘the worst’, 16 out of the 39 organisations who responded cited that it was the damage to their reputation which had the greatest impact. This is an increasing trend, up from 30 percent of respondents in 2014 to 41 percent this year.”

Lastly, from the Global Risk Management Survey 2015, quoting Greg Case, CEO of Aon, “For the first time since 2007, damage to brand and reputation has emerged as the top-ranked risk in our survey. Interestingly, cyber risk has entered the top 10 for the first time this year. The connection between these two risks has been felt around the world in 2014, as a rash of data breaches demonstrated the fragile nature of consumer trust in leading corporations.”

An information security breach will rob a company of its good name, customers, increase new customer acquisition costs and decrease opportunities. The damage may also be compounded by individual or class action lawsuits from former customers. Consumers are now aware of the negative impact identity theft can have on their lives and are voting with their pocketbooks in increasing numbers.

Incident cost

According to the Ponemon Institute, the average total cost of a data breach for the participating companies increased 23 percent over the past two years to $3.79 million. The PwC 2015 Information Security Breaches Survey, showed much the same trend, “the survey did find that the total cost of dealing with incidents continues to increase. Looking at the single worst breach suffered, the costs to large organisations range from just under £1.5 million (£1,455,000) to £3.14 million. For small organisations, the range starts at £75,200 to £310,800. These figures account for activities such as business disruption, days spent responding to an incident, loss of business, regulatory fines and loss of assets.”

To put the escalating cost of cyber breaches into perspective, the Center for Strategic and International Studies estimates the annual cost of cybercrime and economic espionage to the world economy may be as high as $445 billion. That is nearly 1 percent of global income.

If there is a bright side to information security breaches, it is that they usually only affect stock prices for a very short period of time, if at all. In an article from Harvard Business Review, “Why Data Breaches Don’t Hurt Stock Prices”, Elena Kvochko and Raijv Pant assert that “Overall, stock prices during and following the high profile security data breache in the past several years have decreased slightly or quickly recovered following the breach.” This has been shown to be true for three of the highest profile information security breaches; however, we have a more recent example where that rule not has not held true for the short and near term.

stock prices

As you can see from the top three companies, short and near term impact to the stock price was limited or non-existent. TalkTalk is an outlier possibly due to the manner in which the company handled the incident, cultural differences in attitudes towards privacy and the significant customer churn created by the breach. TalkTalk is a British telecommunications company which provides Internet access, pay television and mobile network services to businesses and consumers. In a report on customer confidence from Kantar Worldpanel, Imran Choudhary, Consumer Insight Director states:

Customers have lost faith in TalkTalk as a trustworthy brand. The provider saw its share of the home services market fall by 4.4 percentage points quarter on quarter in terms of new customers, only 1.4% of whom gave reliability as a reason for joining the provider in the last three months – well below the market average.

TalkTalk continues to offer some of the most attractive promotions across the home services market and almost a third of its new customers did choose it for this reason, but there can be no doubt that it lost potential customers following the major data hack. If it’s to recover from recent events TalkTalk will need to offer more than just good value.

At this point, there have been five arrests in relationship to the TalkTalk breach of October 2015, with suspects ranging in age from 15 to 18 years of age. Time will tell if the TalkTalk breach continues to negatively impact the company’s share price and its bottom line.

Regulatory attention

Under HIPPA alone, health information privacy complaints have risen from 6,534 in 2004 to 17,779 in 2014. At end of October 2015 the complaints received by Health and Human Services totaled 123,065. That is a 592 percent increase without two months of additional data. The UK’s Information Commissioner reports similar challenges for 2015, “There was a 44% rise in the number of data security incidents in the health sector compared to the previous quarter (from 193 in the first quarter to 278 in the second quarter). The health sector continued to account for the most data security incidents. This was due to the combination of the NHS making it mandatory to report incidents, the size of the health sector, and the sensitivity of the data processed.”

Regulatory attention increases the likelihood of fines and an additional cycle of negative publicity. Even with increased regulatory attention and negative press, fines are still relatively rare when compared with the volume of breaches reported. Regulators have been warning that information security breaches will see increased scrutiny and higher fines. Last year’s record breaking fines from the US Federal Communications Commission and recent enforcement action from the US Federal Trade Commission have shown these warnings to be far from idle.


The CEO’s Fate

Target: On May 8, 2014, Forbes reported that Target CEO, President and Chairman Gregg Steinhafel resigned from all his positions, “Following The Massive Data Breach And Canadian Debacle”. In this instance, Steinhafel’s departure from Target may not be solely attributed to the Target breach but also to a poor outcome with Target’s failed expansion into the Canadian market.

Home Depot: Frank Blake announced his retirement as CEO, shortly before the September 2014 breach came to light. He could have easily dropped the incident in the lap of the incoming CEO, but he didn’t. He captained Home Depot through the choppy waters of this incident with great skill. The company’s share price didn’t skip a beat; however, in February 2015, he stepped down as chairman of Home Depot as well.

Sony: In a Feb. 12, 2015 article from the Huffington Post, Amy Pascal, former CEO of Sony, openly admitted that she was fired as a direct result of the December 2014 breach.

TalkTalk: Dido Harding is currently the CEO of TalkTalk. Recently the company disclosed the October 2015 cybersecurity incident cost them over 100,000 customers and a financial loss of £60,000,000.00 (US $83,132,024.00). This comes on the back of the recent announcement of three Wipro employees arrested for hacking TalkTalk.


Information security breaches directly affect the reputation of a business, but it is unclear how detrimental that is to the bottom line. Only TalkTalk suffered significant reduction in their share price. There is little doubt that heavily publicized information security breaches will draw the attention of regulators. There is less certainty that attention will result in a significant fine. The impact of the cybersecurity breach on the CEOs of Target, Home Depot and Sony was more severe than the impact on their company’s. They were no longer in their positions within six months of the breach. The apparent six-month window is still open for TalkTalk’s CEO. The long-term risks of an information security breach to companies appear to be changing, but the near-term risk to corporate CEOs seems clear.


Over twenty years of experience as an information security professional, serving in executive and senior management positions, in the US and the UK. My responsibilities have included the development and implementation of global information systems security management programs aligned with NIST CSF, ISO 27001:2013, elements of the NIST 800 series and HIPAA/HITECH. Also, I have created new corporate risk programs including the formation of a board level Risk Committee. Implemented new vendor management programs to track the compliance state of our key vendors and data holders with HIPAA/HITECH and PCI DSS. Completed the requirements, testing and installation of a state of the art security information and event management (SIEM) platform with IBM’s QRadar and ArcSight. Also, completed the requirements, testing and installation of two vulnerability scanners, IBM's QVM and Nessus. Developed an information security awareness program which included annual training for all staff.

Served as Chairperson of the Communications and Public Relations Project Group of Interpol's European Working Party on Information Technology Crime, as well as advising their Wireless Applications Security Project Group. I am the former, the President of the United Kingdom and Bluegrass chapters of the Information Systems Security Association (ISSA), also editorial advisory board of the ISSA Journal. I have attended numerous courses on cybercrime and white collar crime through both the Kentucky Department of Criminal Justice Training and the National White Collar Crime Center.

It has been my honor to receive an ISSA International Fellow (2015) and the International Information Systems Security Certification Consortium, Inc. (ISC)^2, President's Award for service to the information security community (2002 and 2004, 2009).

Lastly, I hold a Master of Science in Information Security from Royal Holloway, University of London, a former senior instructor for the (ISC)^2 CISSP CBK seminar, MCSE and BS7799 Lead Auditor.

The opinions expressed in this blog are those of Richard Starnes and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.