Organizations have started to recognize the importance of tying executive pay to cybersecurity metrics. This practice is gaining traction among the largest U.S. companies, with nine Fortune 100 companies incorporating cyber goals into the calculation of short-term bonuses for top executives.
Institutional Shareholder Services, a proxy-advisory firm that tracks public companies globally, says 86 organizations follow this trend, including Johnson & Johnson in the U.S., London Stock Exchange Group, and Paragon Banking Group in the U.K.
This marks a significant increase from zero in 2018, as reported by accounting and consulting firm Ernst & Young.
Traditionally, accountability for cybersecurity has primarily fallen on IT and security teams. Experts argue that it is essential for cybersecurity objectives to be integrated higher up the chain and be connected to the compensation packages of senior executives.
Chairman of the governance consulting firm Advanced Cyber Security Center, William Guenther believes that this step can help prioritize security factors in an organization's strategic decision-making process.
Equifax, a prominent credit ratings provider, has already taken steps to tie executive bonuses to cyber goals. After experiencing a massive data breach in 2017, Equifax faced a $1.4 billion settlement and more than $1 billion in technology expenses. In response, the company outlined a multiyear plan to address the issues that caused the breach, including putting executives' short-term cash bonuses at risk if cyber metrics were not met.
Equifax's directors have now incorporated security as part of the ESG goals for yearly executive payouts, as well as for any employee eligible for annual incentive bonuses.
Although many organizations have yet to disclose their specific cyber metrics in public filings, some have provided insights into their approach. Proxy filings from 2022 have listed metrics such as improving scores on cybersecurity preparedness measures and establishing a three-year cyber plan. These disclosures indicate a growing trend of boards paying more attention to cybersecurity.
However, identifying a fair cyber goal to link to compensation is a challenge. It is not as simple as awarding bonuses for avoiding hacks or punishing executives for breaches.
Australian health insurance provider Medibank Private did not have specific cybersecurity goals tied to executive pay before a cyber attack in 2022 that cost them over $46 million. As a result, Medibank's board canceled short-term incentive bonuses for the CEO, the CFO, and two other top leaders. These individuals collectively had to forgo $3.6 million. The decision to cancel the bonuses was made in consideration of the expectations of customers, shareholders, and the community following the cyber crime event.
Guenther argues that punishing executives after a cyber attack is not an effective means of driving sustained change. Instead, setting clear metrics and providing ongoing support are crucial to ensuring a strong security culture.
Educate your employees and partners with new-school security awareness training to follow security best practices and avoid falling for phishing and social engineering hacks.