Key highlights

  • In 2022, a small number of public companies (86 total) linked chief executive pay to cyber security.
  • These companies included U.S. pharmaceutical giant Johnson & Johnson, the London Stock Exchange Group and Paragon Banking Group.
  • Linking bonus pay to cyber security may make organizations more secure, according to recent research.

Executive pay and cyber security

Creating sustained change within a corporate culture is tough, but organizations are giving a new strategy a whirl. In 2022, roughly 10% of Fortune 100 companies linked a portion of short-term bonuses for named executive officers to a defined cyber security goal, according to the accounting and consulting firm EY.

This reflects a marked change from 2018, where 0% of researched companies linked pay to cyber security performance. Will we see further instances of executive pay tied to cyber security in the future? Is that about to become a major new trend? Here’s what’s on the horizon…

Trends and expected outcomes

Although most companies don’t disclose their cyber security metrics in public document filings, disclosures show that stakeholders and boards are emphasizing accountability around cyber security.

While this is a good start, determining precisely how to link bonuses to cyber security performance (and outcomes) isn’t an easy issue to address. Companies can’t simply declare that no data breaches = full bonuses, while a data breach will result in a financial penalty. Cyber security just doesn’t operate in such a simplistic way – as you likely know very well yourself.

It’s safe to say that data breaches occur for a variety of different reasons. Routine causes of data breaches include weak passwords, stolen credentials, unpatched applications, malware, social engineering and physical attacks, among other things. Due to the nature of breaches, there isn’t a one-size-fits-all approach when it comes to preventing one (and as a result, there isn’t a foolproof way to link pay to security outcomes).

Metrics and models

The metrics used for linking pay to cyber security outcomes are evolving. Organizations are testing out divergent models. In at least one instance, after reviewing a years’ business performance, the board elected to withhold bonuses from executives on account of breach that affected nearly 10,000,000 people. The thinking was that if the data was lost and lives were affected, executives bore a certain degree of responsibility for the failures.

Current best practices

According to industry experts and analysts, organizations that link cyber security to performance bonuses should be clear about expectations. Punishment in the wake of an attack may not be a motivating modus operandi for executives. Determine which metrics to use and consider requesting support from a variety of in-house experts in the process.

Nearly a quarter of boardrooms still don’t perceive cyber security as a priority. But the Boards’ message around cyber security sets the tone for executive leadership. If you’re on a Board, consider raising the possibility of linking executive pay to cyber security and simply see where the conversation leads – it may reinforce just how important cyber security really is.

For more on this story, please visit The Wall Street Journal. Lastly, to receive more timely cyber security insights and cutting-edge analyses, please sign up for the cybertalk.org newsletter.