The Advisors' Blog

This blog features wisdom from respected compensation consultants and lawyers

September 5, 2023

Executive Compensation Metrics: Cybersecurity Trending?

Cybersecurity has been on my mind lately. As Dave blogged on TheCorporateCounsel.net, in late July the SEC adopted amendments to its rules that will require periodic disclosures regarding cybersecurity risk management, strategy and governance, as well as current disclosure on Form 8-K of material cybersecurity incidents. The compliance timeline is tight — with periodic disclosures required starting with annual reports for fiscal years ending on or after December 15, 2023 and the 8-K incident disclosure required starting December 18, 2023 (for non-SRCs) — so the rules require immediate attention.

It’s not a topic we often blog about here, but this WSJ article about another cyber development got my attention. Companies are starting to use cybersecurity metrics in their annual bonus plans for top executives.

The practice is inching up among the biggest U.S. companies, with nine of the Fortune 100 companies linking a portion of short-term bonuses for named executive officers to a cyber goal in 2022, according to new research from accounting and consulting firm EY. That is up from zero in 2018, EY said. ISS ESG, the data arm of proxy-advisory firm Institutional Shareholder Services, found 86 of the more than 15,000 public companies it tracks globally did so last year.

The article cites Equifax as an example of a company that incorporates cyber goals, which was part of a multiyear plan following the company’s 2017 breach. Here’s a snippet from Equifax’s 2023 CD&A:

In 2018, the Committee added a cybersecurity performance measure as one of the metrics under the AIP, in order to promote a Company-wide focus on data security and reinforce our overall security program goals. Non-financial goals have proven to be an effective tool for motivating executives to execute on our key strategic initiatives.

Given the significant progress we made in strengthening our data security program, the positive feedback we received from shareholders on incorporating cybersecurity performance in the executive compensation program and the continued importance of prioritizing cybersecurity in our strategic priorities, beginning in 2021, the Committee determined to move cybersecurity from a single Companywide AIP performance metric to a required component of the non-financial goals that comprise up to 20% of the AIP opportunity for all bonus-eligible employees.

As a result, Equifax employees who participate in the AIP have a mandatory security-focused performance goal as part of their individual objectives, which is designed to support the highest level of performance under our global cybersecurity awareness program. Employees are required to identify one or more pre-determined security goals, established by the Security Department, that are most appropriate to their role and scope of responsibility.

– Meredith Ervine