Microsoft has come under fire recently from both the US government and rival companies for its failure to stop a Chinese hack of its systems last summer. One change the tech giant is making in response: linking executive compensation more closely to cybersecurity.
It has become more common for corporations to tie a percentage of annual executive bonus payouts to various goals that go beyond meeting sales and profit targets.
The conversations about cybersecurity-linked executive pay have started taking place at other companies since Microsoft made its move, according to Aalap Shah, managing director at executive compensation and leadership consultancy Pearl Meyer. It’s not prevalent as a compensation practice today, he said, but he added, “post-Microsoft’s announcement, I’ve gotten phone calls asking, ‘Should we do it? Would it work?’ ... These conversations are very similar to the ones we were having a few years ago with ESG metrics and a significant percentage of companies adopted them.”
Shah said there is a case to be made that cybersecurity is a core issue that can be equated to mining or industrial safety. But there’s a big difference between a business in cybersecurity and, for example, a retailer, in making this case. And even in industries beyond technology and cybersecurity where keeping data secure is a core issue, such as financial services and health care—which have been targets of high-profile hacks—it’s not a clear case yet to tie executive compensation of the most senior people, such as a chief financial officer or general counsel, to cybersecurity, versus the chief information security officer or chief technology officer.
“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” Shah said. “What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation.”
Many companies that adopted ESG metrics did so only in the bonus portion of executive pay, not the long-term incentive plan, which is much more significant. “That’s putting your money where your mouth is,” Shah said.
A bonus may comprise, on average, 20% of executive pay, and within the bonus pool specifically, non-core financial metrics such as ESG only contribute 20% of a potential total bonus payout. “When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?” Shah said.
Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that’s where these types of non-core financial metrics are low in prevalence. That would be the ideal place within a compensation plan to set pay against long-term cybersecurity and corporate goals, but it is difficult for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy, and data breaches that can be measured like sales and profit.
“It will be a challenge,” Shah said. “Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure that not only is the relevance there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it’s subjective, then it is less meaningful for shareholders.”