MPs urge Government to dock executive pay for cyber attacks

Chief executive who fail to prevent cyber security breaches should meanwhile have a portion of their pay docked, the Culture Media and Sport Select Committee added as it published the results on an inquiry into the cyber attack that plunged the broadband operator TalkTalk into crisis last year, reports The Telegraph.

Britain’s status as the leading internet economy in the G20 is under threat from a combination of increasing reliance on digital infrastructure, and inadequate protection of it, according to the report.

Its recommendations were announced as Baroness Harding, TalkTalk’s chief executive, saw her performance bonus slashed by more than a third to £220,000 as a result of the company’s security failings. She donated all of the cash to a charity, Ambitious About Autism.

Lady Harding’s overall remuneration nevertheless almost tripled to £2.8m, despite a year in which TalkTalk’s share price fell by 31pc. The company said the steep increase reflected the vesting of shares awarded under a three-year Long-Term Incentive Plan (LTIP).

A spokesman said: “The Remuneration Committee reviewed the LTIP award in the light of the cyber attack, but as the company significantly outperformed the target set over the period, it was an accurate reflection of 2012-2015 performance.”

Jesse Norman, chairman of the culture committee, said: “TalkTalk responded quickly and well to this attack, but appear to have been much less effective in the past, failing to learn from repeated breaches of different kinds.”

He called on TalkTalk to publish an internal investigation of the incident in October carried out by PwC to give customers more information about what went wrong and how it is being addressed.

TalkTalk, Britain’s fourth-largest broadband provider with four million customers, discovered a breach of security on its website that it described as a “significant and sustained cyber attack”. It received a ransom demand for the data from online criminals and warned all customers that their personal information was at risk. Arrests followed and the case remains under investigation by police.

The culture committee said the attack was a “wake-up call” to companies, which should ensure digital security is on chief executives’ agenda by linking it to pay. Large organisations should also employ an executive with full day-to-day responsibility for securing IT systems, the MPs said.

Mr Norman said: “Companies must have robust strategies and processes in place, backed by adequate resources and clear lines of accountability, to stay one step ahead in a sophisticated and rapidly evolving environment.

“Failure to prepare for or learn from cyber-attacks, and failure to inform and protect consumers, must draw sanctions serious enough to act as a real incentive and deterrent.”

He called on the Government to enact dormant laws that would see those who buy and sell stolen data jailed for up to two years. Currently criminal hackers can be imprisoned, but those who trade their stolen goods in online black markets may face only a fine.

The Information Commissioner’s Office, responsible for enforcing data protection legislation, should also introduce a system of escalating fines that punish companies that fail to prevent the most common forms of cyber attack, the select committee said.