Recurring Customer Data Breaches Make A Nonsense Of Corporate Governance
A strong focus on corporate IT systems and cyber security should go hand in hand. This is now an inflection point at a time of technological transformation at which business 'purpose' and business practice come together, and consumer protection should be at the heart of its scrutiny. But from both UK regulation and the law, there's a strange silence and inaction to the point of paralysis.
The all-too familiar scenario from UK plc is becoming the corporate data breach, followed by much hand-wringing and an apology increasingly finessed by the public relations department for authenticity and the power to play on social media - while customers suffer the chaos. It makes a nonsense of the notion that there's a renewed commitment in the UK to looking at whether corporate governance as currently defined is fit for purpose.
"The banking software at the heart of TSB’s troubles this week was doomed to failure from the start, an insider with extensive knowledge of the systems involved has said" reads The Guardian story this morning. It should come as a shock, but in a reflection of how inured we become to regular corporate failure to address the longer-term, it does not.
As the story explains, when TSB split from Lloyds Banking Group (LBG), a move forced by the EU as a condition of its taxpayer bailout in 2008, a clone of the original group’s computer system was created and rented to TSB for £100m a year. " An insider with extensive access to and knowledge of the internal systems at the time describes the cobbling together of disparate systems in haste.
Under cover of the useful moniker "legacy systems" (implying an inheritance that it is both unfortunate and without blame as it is handed down) banks have repeatedly dismissed their carelessness in ensuring that their technology was fit for purpose. While top management remuneration has come through IT meltdowns unscathed, customers have suffered again and again.
An entrenched media tendency for years to term IT failure as a 'glitch' hasn't helped.
RBS managed to misplace 600,000 payments to customers in 2015 only months after it was hit with a £56m record fine for what was described as "IT meltdown" years earlier in 2012. Regulators undertake 'reviews', the Financial Conduct Authority launches investigations and assures consumers that it is working with the offending corporate - until the next time.
It isn't only the banks and the financial services industry that are at fault. Remember Talk Talk and the data breach two years ago ? The CEO at the time, Dido Harding, did have her bonus and LTIP cut, but she left with business having seen her earnings rise by £1.8m the previous year.
But, given that managing people's money is at the heart of a bank's business model, surely it should require far more accountability than it appears to in the UK today.
There is no lack of media coverage of the ill-preparedness of the industry. I covered it on Forbes for four years, archive here. Only last year I wrote about the lack of preparedness of British boardrooms on cyber security and a cyber security breaches survey of UK business conducted by the UK government itself. So it is not as if the UK government is not aware of a massive problem.
But as so often seems to happen, there is a gap between knowledge and action. And perhaps an even bigger gap when it comes to blame, and accountability.
The pages of recent corporate history are littered with 'honest mistakes' on the part of top management. When it comes to anything to do with technology, there seems to be a tendency to fall back on the notion that technological transformation is so hard and we are all so clueless, that somehow we must cut management some slack, because "these things happen", these "glitches." But there is one constant: management is paid the same as it ever was, regardless of a lack of innovation in how it goes about cyber security. Collaboration on insights does not appear to be an option.
Chairmen and CEOs vary in how good they are at apologies to consumers at moments of clear corporate failure in all industry sectors. As I wrote on Board Talk on Carillion in February: "penitents in a corporate capacity now embrace the 'moral' stance by being as regretful as possible....stopping well short of mea culpa or any talk of giving up financial rewards linked to their role."
The CEO of TSB, Paul Pester, is clearly well tuned to the growing demands of consumers across social media. His many briefings to journalists about the bank being "on its knees", placing him and the bank as the supplicant awaiting forgiveness from the mighty customer is a great 'sound-byte' and as such has been heard everywhere.
Less well known, I suspect, is coverage of the apparent absence of a back-up system by TSB when rolling out a new one, suggesting appalling risk management and revealed here in a report by The Register.
"What surprised me is the fact that TSB allowed the buggy system to run through their 1.9 million customers [without what appears to be] proper testing of the new system," Shujun Li, professor of cybersecurity research at the University of Kent, is quoted as saying.
So what will TSB's remuneration committee do when the question of Paul Pester's bonus comes up - and is that really the only tool we have on this critical issue of corporate governance ?