Chief executive officers beware: Data breaches can now cost you your job.
Yesterday Target Corp.’s board ousted CEO Gregg Steinhafel in the wake of a hacker attack that compromised the personal data of millions of shoppers during the holiday season. Steinhafel’s main error was to move too slowly in shoring up the chain’s defenses even after being warned that point-of-sale terminals were vulnerable to cyber criminals.
His fall reverberated in corporate boardrooms everywhere. Since revelations that Target, luxury chain Neiman Marcus Group Ltd. and arts-and-crafts retailer Michaels Stores Inc. had all been hacked late last year, company directors have embarked on a crash course to understand the threat and how to combat it. Next month, the National Association of Corporate Directors will convene in Chicago for its first Cyber Risk Summit.
“This is a sea change, right here, right now,” said Davia Temin, of Temin & Co., a New York crisis-management firm. “The risk now goes right smack to the CEO and to the board.”
The data breach was the last straw for Target directors, who replaced Steinhafel as chairman and CEO, saying it was time for new leadership. He had been at the chain for 35 years, showing that even a company veteran isn’t immune. John Mulligan, Target’s chief financial officer, will serve as interim CEO while the company seeks a permanent chief, according to a statement. Board member Roxanne Austin, a former DirecTV executive, will be interim chairwoman.
The shares declined 2.1 percent to $58.64 at 9:33 a.m. in New York. That came after the stock dropped 3.5 percent yesterday.
Bloomberg Businessweek reported in March that Target had ignored warnings from its hacker-detection tools, missing an opportunity to stop the attack sooner. The breach compromised 40 million credit-card numbers -- along with 70 million addresses, phone numbers and other pieces of information.
After the attack became public in December, Target’s reputation and foot traffic took a hit. Its U.S. comparable-store sales fell 2.5 percent in the fourth quarter. The Minneapolis-based company already had replaced the top technology executive, and now Steinhafel has become the most prominent corporate leader to be felled by a cyber attack.
Other companies will probably face pressure to hold executives accountable for their handling of data breaches.
“It sends a very loud and clear message that nobody is indispensable, and CEOs have to mind the store in every respect,” said Howard Gross, managing director of the retail and fashion practice at executive search firm Boyden Global Executive Search in New York. “After something like this, a lot more CEOs will be taking a hard look at their security.”
Directors and CEOs are rushing to put together a strategy for dealing with breaches as it becomes increasingly clear that the IT department is unable to stop them, said Shawn Henry, president of CrowdStrike Services Inc. in Irvine, California, and a former executive assistant director of the FBI involved in fighting cyber crime. The last two years have been marked by rising awareness that the top executive can’t be out of the loop and that the risk is growing, he said.
Besides the Cyber Risk Summit scheduled for June 11, the National Association of Corporate Directors has created an eight-part video series that explains the basic issues to boards and how they can deal with the risk, said Ken Daly, the group’s president. A 2014 white paper on the topic has become the association’s top downloaded report, he said.
The report estimates that cyber criminals are stealing up to a terabyte of data each day and that, in just four years, the average annualized cost of cyber crime to an organization has risen 78 percent. The average time required to detect and respond to a cyber attack has increased by almost 130 percent, according to the NACD report.
“It’s been on the radar for a while, but surely Target catapulted it into the big time,” Daly said, adding that the cyber summit will probably sell out.
Target’s failure has helped elevate the issue from a conundrum for audit committees to an issue for the entire board and top executives, said Jerry Storch, a former Target executive who now runs his own consulting firm, Storch Advisors.
“No one really believes the CEO could prevent a data breach, but the CEO is responsible for anything that happens, both good and bad,” said Storch, who spent more than a decade at Target, including four years as vice chairman, and served as CEO of Toys “R” Us before leaving last year. “That’s part of having the job.”
Target’s next CEO, and leaders at other companies, need to learn from Steinhafel’s downfall to develop a better response to breaches, said Kathy Gersch, executive vice president at Kotter International, a leadership and strategy firm. The U.S. Secret Service is investigating a possible data breach at Sears Holding Corp., and Las Vegas Sands Corp. said last month customer data was stolen in a cyber attack.
Gersch’s own account was hacked and she described Target’s response as lacking.
“They have more people interested in legality than in the customer experience,” she said.
The frustration of consumers with Target is part of a bigger sense that top executives have to respond more quickly to, and be more aware of, issues in their companies, said crisis management adviser Temin. Both Target’s data breach and the highly publicized recall of General Motors Co. vehicles with fatal defects punctuate that urgency, she said.
“You have technological issues buried down in layers of the company and solutions buried down in the company, and to some degree it’s seen as part of the old idea of plausible deniability baked into a company culture,” she said. “With the growing demand for transparency, it’s no longer acceptable and it’s no longer believable.”