There is always a price to pay for poor information security management.
Yahoo is paying that price and has reacted by penalising the executives it held personally accountable.
Back in December last year we reported on how cyber security impacts on a business in terms of mergers, acquisitions and shareholder exit value - Yahoo being the example.
At that time it wasn’t clear what the financial effects on the Yahoo / Verizon deal would be. It was subsequently revealed to be $350m off the acquisition price, with any liabilities resulting from the breach remaining with Yahoo, who will change it’s name to Altaba Inc post deal.
Yahoo is suffering the costs of huge investigations by regulators, legal costs from over 40 lawsuits seeking damages, a dent in consumer confidence, and an even bigger dent in company value.
However, it is clearly showing who it holds accountable by imposing personal financial consequences.
Yahoo has confirmed CEO, Marissa Mayer, will not be paid her annual bonus, nor receive a potentially lucrative stock award, because it’s investigation concluded her management team reacted too slowly to one of the breaches discovered in 2014.
Mayer is eligible to receive a bonus worth up to $2 million annually but also volunteered to relinquish the annual stock award, typically in the millions.
The personal costs extended beyond financial penalties. Heads rolled in the security and legal departments where senior executives resigned, losing severance pay and professional credibility.
This latest news from Yahoo is sobering for executives.
But, consider that in some instances, the threats of cyber security could potentially cause loss of life or significant harm. Some areas of public sector service delivery could be an example.
With this in mind, could we imagine a time when corporate manslaughter is introduced for careless business leaders who fail to protect their own and their customers’ information assets?
It can’t be that far away. What's for sure is that senior executives are being held personally accountable and should be ensuring their organisation is able to demonstrate effective data protection and information security management.
If you'd like to discover how ISMS.online can help your organisation describe and demonstrate an effective information security management system, get in touch for a no obligation chat.
Or visit www.isms.online