Deep in the guts of corporate America, a sense of shock hit in the days and weeks after hackers hit Target and affected up to 40 million customers in a 2013 breach that made headlines like no other previous hack.
In a lot of boardrooms, it wasn’t the breach or even the millions of dollars lost that grabbed the most attention. It was the subsequent firings of Target executives including CEO, President and Chairman Gregg Steinhafel that fundamentally altered the way corporate leadership looked at cybersecurity. It took the fall of their peers to open everyone’s eyes.
“Target made it personal,” Cory Weech, the vice president for IT security at Four Seasons, said on Monday at a panel on boardroom awareness at the 2017 RSA Conference in San Francisco. “When you have senior executives being replaced, that makes it real for the boardroom.”
Target ended up settling class action lawsuits for about $50 million after attackers breached the chain retailer’s point-of-sale system and stole data including names and all the information required to manufacture counterfeit credit cards.
Since the Target hack, executive-level firings for major data breaches have happened multiple times, therefore demanding attention from the highest levels of corporate America. Amy Pascal, the former CEO of Sony, was fired for the company’s high-profile hack in 2014.
“Now when they see incidents elsewhere,” Weech said of his company’s board, “They want to know how vulnerable they are to that same threat.”
Mindsets have changed across the hospitality industry, he said, so that information sharing on cybersecurity reaches pretty far above other industries.
“We all decided a long time ago that none of us compete in security,” Weech said. “When one of us is breached, it hurts us all equally.”
Well, maybe. It’s hard to imagine someone at a rival brand not hearing cash registers ring if a competitor gets hit in a high-profile breach. But the attackers, tactics and procedures often cross the industry and beyond, making information sharing a valuable proposition even for companies normally at one another’s throat.
The new attention spans across industries. In 2013, only half of American health insurers had any kind of cybersecurity reporting to the board. Now, everyone does, according to a new survey from Moody’s Investor Service published Monday. The number of incidents serious enough to activate escalation to senior management has risen year over year every year Moody’s has asked.
Despite the increased attention and money, hackers are seeing increasing success in their attacks against North American insurance companies. The companies been ramping up cybersecurity efforts dramatically in the two years since the high-profile breach at Anthem Blue Cross that saw nearly 40 million personal records taken by attackers.
But a new survey shows the number of intrusions climbed again so that nearly 40 percent of insurance companies experienced serious incidents in 2015, the last year on record. That number has undoubtedly risen since.