Cybersecurity Enters Conversation About Executive Pay

Companies are starting to tie bonuses for their chief executives and other top leaders to cybersecurity metrics, a move that governance experts say could make them more secure against hackers.

The practice is inching up among the biggest U.S. companies, with nine of the Fortune 100 companies linking a portion of short-term bonuses for named executive officers to a cyber goal in 2022, according to new research from accounting and consulting firm EY. That is up from zero in 2018, EY said.

Proxy-advisory firm Institutional Shareholder Services, found 86 of the more than 15,000 public companies it tracks globally did so last year. Among them are U.S. pharmaceutical company Johnson & Johnson, London Stock Exchange Group and Paragon Banking Group in the U.K. The companies didn’t immediately respond to a request for comment.

Accountability for cybersecurity often lies with the technology and security departments, said William Guenther, executive chairman of the Advanced Cyber Security Center, a governance consulting firm. But, he said, cybersecurity objectives should go higher up the chain and be tied to the compensation packages for senior executives. This can help push security factors into a company’s strategic decisions, he said, adding, “It’s one step, and a valuable one.”

Credit-ratings provider Equifax has partly tied executive bonuses to cyber goals since a massive data breach in 2017 that ultimately resulted in a $1.4 billion settlement of a consumer lawsuit, plus settlements with states and technology expenses of more than $1 billion. In 2018, the company outlined a multiyear plan to address problems that led to the breach, which exposed personal data for 147.9 million U.S. consumers, including putting executives’ short-term cash bonuses at risk if cyber metrics weren’t met.

Directors at Equifax have since embedded security as part of environmental, social and corporate governance goals for those yearly executive payouts as well as for any employee eligible for annual incentive plan bonuses.

Employees are held to one or more security goals from those set by the cybersecurity department appropriate to their role, according to Equifax’s latest proxy statement. The company didn’t immediately comment.

Many companies, such as Equifax, don’t spell out their cyber metrics in public filings, but some do. Proxy filings in 2022 listed metrics such as improving scores on specific cybersecurity preparedness measures and defining a three-year cyber plan.

While the numbers are small, such disclosures show a rising trend of boards paying more attention to cybersecurity, said Patrick Niemann, EY Americas audit committee forum leader.

Still, defining a cyber goal that is fair to link to compensation is challenging, Niemann said. It isn’t as simple as not being hacked in a given year means getting a bonus while getting hacked wipes that pay away, he said. Metrics are evolving.

“They’re trying things out,” he said. “The one thing we do see is that cybersecurity is a top priority for virtually all boards.”

Sometimes the link between cybersecurity and bonuses is more stick than carrot. Australian health-insurance giant Medibank Private

Medibank’s board last week, canceled short-term incentive bonuses for the chief executive, chief financial officer and two other top leaders because of the attack, which exposed personal, and in some cases medical, data of nearly 10 million people. The executives had to forgo $3.6 million in total.

“With consideration of the expectations of our customers, shareholders and the community following the cybercrime event, the board exercised discretion,” directors wrote in Medibank’s 2023 annual report.

“At the time of the cybercrime event, our Chair said there would be a time for consequences, and you have seen last week in our announcement what those are,” a Medibank spokeswoman said. “It was a serious event and that means there are serious consequences,” she said.

Guenther of ACSC said that companies should lay out what they expect from their executives in advance. Punishment after a cyberattack generally doesn’t lead to sustained change, he said, adding that setting metrics requires support—“otherwise, it’s useless.”

Write to Kim S. Nash at [email protected]