Select committee suggests pay cut for execs overseeing data breaches
Chief executives who fail to prevent cyber-security breaches could face having a portion of their pay docked, according to a Culture Media and Sport Select Committee report on cyber-crime.
The inquiry, which was begun after broadband services operator TalkTalk was plunged into crisis by a high profile series of cyber-breaches last year, also recommended that those convicted of unlawfully obtaining and selling personal data should face jail sentences of up to two years.
It also said the Information Commissioner's Office (ICO) should have access to a robust system of escalating fines to sanction companies who fail to report, prepare for, or learn from, data breaches.
The inquiry found that the issue of data security was a serious problem and one that was still growing. It reported that 90% of large companies had experienced a cyber-breach at some point and that a quarter of businesses suffered cyber-breaches on a monthly basis or even more frequently.
The costs of cyber-attacks to a business can be considerable and in some cases could even lead to insolvency. Brand or reputational damage can have a huge impact on business finances, while an attack itself is often costly. For firms that operate on tight budgets or that are relatively small, it can be very difficult to recover from such an issue.
Effective cyber-security is in the best interests of most businesses but the Select Committee report also focused on corporate responsibility and the rights of consumers whose data is potentially put at risk.
It said that companies should report their cyber-security and data protection strategies to the ICO while including them in their annual reports. To ensure the issue received due attention, it suggested that a portion of CEO remuneration should be linked to effective cyber-security.
It would be appropriate, the report said, for a CEO to lead a crisis response in the wake of a major cyber-attack and that day-to-day responsibility for cyber-security should sit with a delegated individual who could be sanctioned should it be found that the company had not taken sufficient steps to protect itself and any consumer data it holds.
The report said that it should not be sufficient for companies to claim they were unaware of the risks as the threat of cyber-crime is now so prevalent.
By Phil Smith