CEOs' pay should be slashed if firms fail to protect against online attacks

A UK parliamentary report proposes raising penalties for hacked companies and tying CEO pay to cybersecurity performance.
Written by Liam Tung, Contributing Writer

Telco TalkTalk was breached in late 2015 after hackers exploited an SQL flaw and exposed details of over 100,000 customers.

Image: TalkTalk

A new UK parliamentary report recommends that businesses face escalating fines for cybersecurity breaches, with the biggest penalties reserved for firms that succumb to "plain vanilla" intrusions, such as the SQL attack on telco TalkTalk.

The heaviest penalties should be levied against companies that experience "continued vulnerabilities and repeated attacks", the report from the UK's Culture, Media and Sport Committee notes.

It's also recommended that a "portion of CEO compensation should be linked to effective cybersecurity" and that companies appoint a chief security officer.

TalkTalk was breached in late 2015 after hackers exploited an SQL flaw and exposed details of over 100,000 customers. The incident cost the company £60m ($88m). TalkTalk later appointed PwC to investigate the breach, leading TalkTalk CEO Dido Harding to admit that the company "underestimated" cybersecurity.

The government recommendations came as TalkTalk revealed that Harding earned £2.81m ($4.1m) in the past year, of which £1.97m ($2.9m) was for hitting long-term incentive targets. Harding donated a £220,000 ($322,000) bonus to charitable causes.

The report also recommends that the Information Commissioner's Office (ICO) should be given the power to impose heavier fines on companies that delay the disclosure of a breach. At present the ICO can only fine a firm £1,000 ($1,460) for this.

"Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment," said Jesse Norman MP, chairman of the Culture, Media and Sport Committee.

"Failure to prepare for or learn from cyberattacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent," he said.

"As the TalkTalk case shows, the reality is that cyberattacks are a constant, evolving threat. TalkTalk responded quickly and well to this attack, but appears to have been much less effective in the past, failing to learn from repeated breaches of different kinds.

"They should now publish as much of the PwC investigation as commercially possible without delay, and set out exactly how they will implement any necessary changes."

The committee warned the government that it also needs to secure its IT systems due to the vulnerability of "massive new data pools" generated by the new Investigatory Powers Bill.

Read more about cybersecurity

Editorial standards