In August 2017, container shipping company Maersk was hit by a cyber-attack linked to NotPetya ransomware. The attack, which crippled the company and reportedly caused ships to be kept at sea, cost $300m (£232m) in revenues.
TSB bank recently saw its systems crash, leaving customers facing disruption to services. CEO Paul Pester stepped down after seven years in charge. Maersk CEO, Soren Skou, is still in his job.
Under what conditions does a chairman and the board decide that the top executive’s role is vulnerable when it comes to technology risk?
Firstly, there are circumstances that should be considered in relation to the two examples cited.
TSB’s recent travails followed a major IT meltdown in April. As the bank transferred customers’ details to a new platform many were locked out of their accounts and some given access to information about other clients.
With UK banks being under close scrutiny post-financial crisis, MPs monitored the situation closely and Pester found himself answerable to MPs.
Certain sectors, including financial services, are heavily reliant on technology. As John Berney, an experienced chief information officer and director of CIO Plus points out, the IT spend of an FS organisation is traditionally high because it will rely on automation to manage what would be a highly resource-intensive process.
In addition, legislation and regulation pays much attention to the robustness of financial services tech.
“This leads to a much greater dependence upon IT within the sector and any CEO worth his salt should know this,” Berney tells Board Agenda.
Customer trust, an area of fragility for financial services, is also a key concern. TSB lost several thousand clients after its April problems. The “nightmare scenario” for a bank, according to Berney, is a run — and failing to enable access to funds is a “modern-day equivalent to a run on a bank”.
Dr Onur Kemal Tosun, assistant professor of finance at Warwick Business School, concurs with Berney. “In such a dynamic and IT-dependent environment, the agents in the financial sector, such as banks and stock markets, need to have ultimate attention and dedication to IT,” he says.
CEO behaviour during a crisis—aligned with a robust disaster management strategy—is vital, and can prove the difference between being sacked or not.
Dr Tosun points out that although the CEO “is responsible” for IT issues and related consequences, “it should also not be forgotten how this issue is handled”.
“Although there is a failure of operations, the strategies and actions related to aftermath are worth considering.”
Let’s go back to Maersk. CEO Skou admitted to the Financial Times last year that he was initially “at a loss” and he had “no intuitive idea” how to move forward.
However, he then moved quickly to establish the problem and its extent, followed by a focus on both internal and external communication, including which systems were running and which ports were open or closed.
Conversely, Pester was accused by House of Commons treasury select committee of having “set the tone for TSB’s complacent and misleading public communications” during its IT meltdown.
Many will sympathise with a CEO’s plight when it comes to steering a course through complex IT issues. They are rarely “experts” when it comes to tech minutiae. So how much responsibility can they take?
Like other operational areas, the CEO carries ultimate responsibility, confirms, Dr Tosun. It comes down to basic delegation of tasks versus being cognisant of risk.
“Consequently, the CEO should be accountable if there is failure in successful delegation of tasks and the operations do not run correctly,” says Dr Tosun.
The risk of IT failure needs to be mitigated—which apparently didn’t take place robustly at TSB.
For Berney, large system migrations are “part of the modern landscape” within M&A and divestment, and there are key steps that need to be covered.
Firstly, a “tried-and-tested process” must be in place, with people who have undertaken similar work. Then, testing to the nth degree must take place to cover every eventuality, and then a fall-back plan must be deployed so business can continue.
“I wouldn’t expect a CEO to get into the detail of this”, says Berney, “but I would expect them to ensure point three was covered as a minimum.”
Ultimately, this is not about “non-experts carrying the can” for the IT department, but a question of risk management, communication, and disaster recovery.
“It is about people fundamentally understanding what is important to their business and demonstrating it by their actions,” says Berney.