Should heads roll for a cyber breach? And if so, who’s head?
Those were questions raised this week with the news that Austrian aerospace parts maker FACC had fired its CEO after a staffer fell for the so-called business executive scam where an employee transferred about US$50 million to an account for a fake acquisition project on a phony email request from the chief executive.
He was the second to go: In February the chief financial officer was bounced.
According to Reuters, the firm’s supervisory board decided at a 14-hour meeting on Tuesday to dismiss CEO Walter Stephan with “immediate effect.”
If the fraud sounds familiar, it is. In March news reports emerged that a year ago toy maker Mattel Inc. nearly lost US$3 million when a senior finance official fell for almost exactly the same scam — an email supposedly from the CEO asking money be wired to China, this time for a new vendor. The money was sent. Fortunately it happened on a long weekend in China and the receiving bank was closed for three days. Police got there in time to stop the transaction.
In this case it was hard to fault the financial official. The company had controls to stop this kind of fraud, a rule that two people had to approve such transfers: She was one, and the CEO was the other …
Well, Mattel got lucky. FACC reportedly stopped only about US$10 million of the transfer.
These are, of course, not only executive frauds but also spear phishing attacks. But they raise the question of who is responsible if they succeed. If a regular employee clicks on a link or an attachment and downloads malware many organizations would forgive the staffer, at least for a first offence. Some would discipline. However, most organizations should (hopefully) have controls over the movement of large sums of money.
Why the CEO and CFO of FACC walked the plank isn’t publicly known, and Austrian labour and contract law aren’t the same as ours. Was it to appease shareholders? Were financial controls ignored? Were executives warned to have controls and management was slow in writing them?
Certainly when executives are let go at publicly-traded companies it’s public. Most private companies have the luxury of quietly easing someone out the door, although Canada’s Avid Life Media — owner which had been trying to go public — let it be known that CEO Noel Biderman resigned after the huge Ashley Madison breach. Some CEOs keep their jobs seemingly because boards figure other companies are breached, so it’s just one of those things. Others, like Target’s CIO, resign amid news reports that the retailer’s IT security systems actually warned of an intrusion.
Regardless, the FACC firings got headlines — and C-level officials around the world are reading them. Hopefully they are taking security more seriously. But does it take a high-level firing to get their attention?
Should someone be fired over a breach? Let us know what you think in the comments section below?