Recently, the Austrian aircraft company FACC fired its CEO of 20 years because he fell victim to an online scam that cost the company over $50 million. Does the decision to fire a tenured CEO for one cybersecurity mistake set a precedent? Will other boards follow suit?

The Sarbanes-Oxley Act of 2002 came about after a series of well-publicized corporate frauds, such as Enron, WorldCom, Sunbeam, Xerox and Global Crossing. In all of these cases, corporate malfeasance led the Sarbanes-Oxley Act to impose financial and technical regulations for the purpose of improving the accuracy and reliability of financial reporting.

Some have viewed the Sarbanes-Oxley Act as a knee-jerk reaction to these fraudulent events, believing that the regulations are imposing and burdensome; however, cybersecurity professionals and systems auditors, who have historically found resistance in deploying even baseline controls, viewed it favorably.

In addition to improvements in the design and effectiveness of internal controls, the Sarbanes-Oxley Act requires CEOs and CFOs to certify the verity of their financial statements, for which they are personally liable. Since then, numerous highly publicized breaches, at companies such as Target, Home Depot, Sony, TalkTalk and, more recently, the Austrian aircraft parts company FACC, have resulted in the terminations of CEOs and other executives. But do these breaches establish a trend for future executive collateral damage for a cybersecurity mistake?