Today Home Depot confirmed that they have been the victims of a catastrophic data breach. If history is any indicator, the cost of this revelation could be best described with a simple phrase:
Carthage must be destroyed.
Prior to the outbreak of the Third Punic War, hawkish elements of the Roman Republic began to popularize the phrase Carthago Delenda Est – Carthage must be destroyed. The phrase was a response to the rise of Carthage's military power in the region, and advocated a complete destruction of Rome's geopolitical rival in order to preserve Roman dominion over the Mediterranean.
Much like hawks in Rome called for the total destruction of Carthage in the face of war, so too have elements of Wall Street adopted a "total destruction" attitude towards the senior leadership managing companies in the face of suffering critically-damaging cyber attacks and data breaches.
Image from www.wodumedia.com
The job of a public company’s Chief Executive Officer is generally guided by one principle: to improve the equity value of the company. As the captain of the ship, the CEO is typically the most visible and responsible when it comes to guiding the course of a publicly traded company through the murky waters of business towards greater per share value for investors holding its shares.
Typically this means that most public market CEOs have been too focused on high level strategy to spend time on operational facets of the business, like security. Such operations are left to other staff - first, other executives like the CSO (Chief Security Officer) and, further down the line, practitioners like incident responsers and systems administrators.
In the past, this has also meant that CEOs and other high-level executives were rarely held accountable when it came to security issues. Even glaring security vulnerabilities or critical cyberattacks were seen purely as tactical and operational issues. A CEO might be tasked with overseeing some kind of inquisition to “burn out” those from the company who “allowed” that attack to occur. But the CEO him/herself was never the one whose job is hanging on the precipice for the attack or its consequences.
That all changed with Target. After Target was the subject of a massive, well-coordinated data breach by cybercriminals, shares in the company plummeted over 10% in the months following the public acknowledgement of the breach – constituting a loss in over $6B in equity value to the company’s shareholders.
The damages extended into other parts of the company’s balance sheet. According to the company’s earnings report in February 2014, the company attributed a drop of over 5.5% in sales transactions during the critical holiday season to concerns from the breach. It was the largest loss in sales transactions since the company began reporting that statistic in 2008. While the final bill has yet to be cut in the breach, it’s expected that Target’s bill due to the breach will run well into the billions.
With such huge, strategic losses to the company and its equity, the unthinkable happened: Target’s CEO resigned. A 35-year veteran of the company, Gregg Steinhafel stepped down along with the company’s CIO. Steinhafel’s departure from the company was the first time the CEO of Fortune 500 company was ousted due to the damages of a cyberattack.
History seems to be repeating itself. In the last few days since this writing, Home Depot has admitted that it is investigating a potentially massive data breach that bares a striking resemblance to the one that hit Target just nine months prior. In response, the company’s stock has plummeted over 3% in less than a full day of trading, constituting a startling loss of over $5B in equity value.
It’s too early to fully know what this new data breach will cost Home Depot. But if Target is any indication of what may happen, Home Depot could see a similar “battle of the titans” power struggle in the board room as the company’s shares burns around it, like lava around Pompeii.
Steinhafel’s departure is a good example of how a CEO gets forced out due to a hacking attack. As news of the data breach began to impact key strategic indicators – statistics reported to investors – the company’s stock began to wither. This withering elevated the data breach’s responsibility beyond the confines of the IT department and to the boardroom.
The response to this withering was a clarion call to summon one of the public market’s most powerful and feared forces: the activist investor group. Institutional Shareholder Services (or ISS), a major proxy advisory firm that serves the interests of major hedge funds and other public market investors, recommended that seven members of Target’s board be removed in response to “failing to protect the company” from the data breach.
ISS’ pressure certainly pushed Steinhafel’s oust, but ultimately it was the reputational risk to the company’s brand that delivered the coup de grace. As time progressed and details about Target’s security practices came out, the long-term impact of the attack degraded core metrics like sales velocity and profit. Many consumers lost faith in Target’s ability to safely conduct their transactions, and irreparable damage was done to the company’s reputation and brand.
With strategic damages so great, somebody had to fall. George Steinhafel and CIO Beth Jacob were necessary sacrifices to “right” the ship for the investment community. Their departure helped to preserve many of the other 5 board members ISS recommended to be sacked, as proved by a reinstatement of most of the Target board during the company’s Annual Investor’s Meeting in June.
It’s far too early to know what will happen with Home Depot’s executives. But one fact remains clear: the damages due to data breaches and other major cyber attacks are no longer simply the concern of the IT department. The reputational risk and impact on strategic metrics due to security events like the ones that struck Home Depot and Target are enough to bring down the heads of Fortune 500 companies.