[BreachExchange] Should someone be fired for a cyber breach? And if so, who?

Destry Winant destry at riskbasedsecurity.com
Tue Jun 16 10:35:32 EDT 2020


Should heads roll for a cyber breach? And if so, who’s head?

Those were questions raised this week with the news that Austrian
aerospace parts maker FACC had fired its CEO after a staffer fell for
the so-called business executive scam where an employee transferred
about US$50 million to an account for a fake acquisition project on a
phony email request from the chief executive.

He was the second to go: In February the chief financial officer was bounced.

According to Reuters, the firm’s supervisory board decided at a
14-hour meeting on Tuesday to dismiss CEO Walter Stephan with
“immediate effect.”

If the fraud sounds familiar, it is. In March news reports emerged
that a year ago toy maker Mattel Inc. nearly lost US$3 million when a
senior finance official fell for almost exactly the same scam — an
email supposedly from the CEO asking money be wired to China, this
time for a new vendor. The money was sent. Fortunately it happened on
a long weekend in China and the receiving bank was closed for three
days. Police got there in time to stop the transaction.

In this case it was hard to fault the financial official. The company
had controls to stop this kind of fraud, a rule that two people had
to approve such transfers: She was one, and the CEO was the other …

Well, Mattel got lucky. FACC reportedly stopped only about US$10
million of the transfer.

These are, of course, not only executive frauds but also spear
phishing attacks. But they raise the question of who is responsible if
they succeed. If a regular employee clicks on a link or an attachment
and downloads malware many organizations would forgive the staffer, at
least for a first offence. Some would discipline. However, most
organizations should (hopefully) have controls over the movement of
large sums of money.

Why the CEO and CFO of FACC walked the plank isn’t publicly known, and
Austrian labour and contract law aren’t the same as ours. Was it to
appease shareholders? Were financial controls ignored? Were executives
warned to have controls and management was slow in writing them?

Certainly when executives are let go at publicly-traded companies it’s
public. Most private companies have the luxury of quietly easing
someone out the door, although Canada’s Avid Life Media — owner which
had been trying to go public — let it be known that CEO Noel Biderman
resigned after the huge Ashley Madison breach. Some CEOs keep their
jobs seemingly because boards figure other companies are breached, so
it’s just one of those things. Others, like Target’s CIO, resign  amid
news reports that the retailer’s IT security systems actually warned
of an intrusion.

Regardless, the FACC firings got headlines — and C-level officials
around the world are reading them. Hopefully they are taking security
more seriously. But does it take a high-level firing to get their

More information about the BreachExchange mailing list