"Travelex had public-facing Windows remote-desktop servers with no NLA enabled"
Not acceptable. This is a professional company dealing in international currencies and with direct links to banks, there is no excuse for not having a properly secured environment.
The CEO should be dumped without a parachute. The next one can go about firing the head of IT. Being hacked is one thing, but not doing one's due diligence on security when dealing in this kind of market means that heads should roll.