For WorldatWork Members
- Exploring Executive Compensation Decision Making, Journal of Total Rewards article
- Why Executive Compensation Is Following the Crowd and Why That Matters, Workspan Magazine article
- Requesting Shareholder Approval of an Equity Compensation Plan Toolkit, tool
- Compensation Committee Toolkit, tool
For Everyone
- Appropriately Factoring Risk into Executive Compensation, Workspan Daily article
- What’s Topping Compensation Committee Agendas in 2025? Workspan Daily article
- Q&A: Why Evolving Your Executive Benefits Strategy Is a Necessity, Workspan Daily article
- Executive Compensation Immersion Program, education
When the ebb and flow of cybersecurity falter, even a well-prepared organization can be surprised by a new form of exploitation. Strong systems and practices are table stakes, as the risks of getting it wrong are significant, and the potential costs are material and lasting. Expecting and responding to disruption has become the normal course of business.
So, should organizations — and, more specifically, their boards of directors — pay employees for non-events or penalize them for the inevitable?
Two key questions bring this subject to life in corporate boardrooms:
- Should incentive plans directly include a cybersecurity metric for top corporate officers, or is the impact on “earnings” sufficient to reflect the occurrence?
- How should boards and board committees consider the impact of cyberattacks on incentive plan outcomes?
Implications of Cybersecurity Events
A cybersecurity event can affect regular business operations in numerous ways, both in the short and longer term.
Compensation committees and their boards should have flexibility to review the situation in the context of compensation outcomes, then determine a fair, equitable and defensible pay result.
Having a process to deal with the security event is more important than trying to predict and measure, in advance, the “right” compensation or governance solution.
Risk Mitigation
Key tenets of good governance call for actions, policies and processes aimed at mitigating risk, and it all starts at the top. Building a seasoned board — whose members have years of experience and a diverse perspective on the many aspects of business — is critical.
Recently, as they are rounding out the necessary complement of board skills, many organizations have focused on building or hiring board members with expertise in cybersecurity. Strong processes — including regular reviews by, reporting to and education of the board — will likely enhance the effectiveness of the oversight function and risk mitigation. Again, strong cybersecurity oversight has become table stakes for board and committee work plans.
Turning attention inward to the specific cyber environment of an organization, management typically takes over the day-to-day of the systems, processes and plans to address material threats. Monitoring management practices regarding cybersecurity has become a necessary — and fundamental — part of risk management at the board level.
The sophistication of cyberattacks is proliferating, requiring continuous improvement and increased resources (both financial and human) within corporations. While insurance is an important element of risk mitigation, it likely isn’t enough to demonstrate thoughtful preparation. Adding transparency, insight and experiences to the tool chest will support better outcomes.
Compensation Design
Strong financial outcomes and sophisticated business strategies can be measured in detail and generate expectations for performance with a good deal of accuracy. However, the same is not true for what should be an anomaly.
Designing your way out of every potential business situation has never been the objective. A strong plan addresses all the “known knowns” very well. Conversely, most plans are not very good at addressing the “known unknowns” (at least, in advance).
A strong plan design considers the potential for uncertainty in key areas that drive financial performance. Most plan designs do not (and probably should not) directly anticipate events with a relatively low probability of occurring but could have a significant impact on business results if they occur. This is when business judgment and discretion have a very real and legitimate place in compensation governance.
The very nature of a cybersecurity event requires careful evaluation to assess fairly and appropriately when it comes to compensation. Automating the compensation outcome through design seems to be a recipe for disappointment. Each incident is unique, particularly because organizations that suffer attacks also have very different incentive plan designs.
Furthermore, the cost impact can vary and be incurred over time. This could include:
- Direct remediation costs at the time of the attack;
- Business interruption costs;
- Longer-term investments in security systems and processes; and,
- Litigation and settlement reserve and costs.
Assessing the full scope at the time of the incident may not always be fulsome.
Shareholder Alignment
With jobs, annual bonuses, long-term incentives (LTIs) and, in many cases, significant portions of personal wealth tied to share price, executives already are well aligned with shareholders (or should be). There is a clear incentive to ensure they protect shareholders from the potentially material adverse effects of a cybersecurity event.
When an event occurs, management should automatically feel the pain in a well-constructed and deployed compensation arrangement. The need for additional penalties may (or may not) be warranted. Clearly, though, the board has a responsibility to understand the impact and assess whether their existing tools are responding appropriately. Perhaps the share ownership guidelines and performance-based LTI plans have provided sufficient “alignment” — in this case, a penalty.
Beyond compensation tools, the board also will typically review the unintended consequences of those programs:
- Has the event caused an outsized impact on pay?
- Is retention a risk that has been introduced or compounded by the event?
Incorporating a specific and direct cybersecurity metric (and targets) in incentive plans presumes clear identification of relevant measures, a clear line of sight for management impact, and a sense of fairness and equity for all stakeholders.
While some fundamental best practices exist, preparation and measurement are most effective with the benefit of hindsight. Setting direct measures is fraught with challenges and the knowledge that the event — should it arise — is likely to look very different.
Post-event evaluation has the highest likelihood of a reasonable outcome because most of the information about strengths and weaknesses of preparation and response will be known and can be evaluated appropriately to determine the impact on incentive pay.
Boards already have some tools at their disposal that can support the evaluation of a cybersecurity event, including discretionary powers (as reluctantly as they may be deployed) and clawback provisions — the better-late-than-never catch-all. Expecting the board to predict and measure events in advance for formulaic insertion in an incentive program may be a step too far, at least for material breaches stemming from unfamiliar attacks.
With the unpredictable nature of cybersecurity events, the potential impact varying significantly and the tools already in place playing a role in setting the tone for executives, this is an area in which the board’s business judgment should be paramount in determining the appropriate response and outcome. Balancing business needs, shareholder alignment and the broader cohort of stakeholders (i.e., customers, employees, community and so on), the board’s role will be imperative to a positive resolution, and they need the latitude to do the right thing.
Editor’s Note: Additional Content
For more information and resources related to this article, see the pages below, which offer quick access to all WorldatWork content on these topics:
#1 Total Rewards & Comp Newsletter
Subscribe to Workspan Weekly and always get the latest news on compensation and Total Rewards delivered directly to you. Never miss another update on the newest regulations, court decisions, state laws and trends in the field.
