The Advisors' Blog

Some of the largest US companies are implementing (or considering) cybersecurity metrics in comp programs — and specific metrics may be appropriate in certain cases (for example, after a cyber event or when upgrades are planned) — but this Semler Brossy article highlights an important cybersecurity-related consideration for comp programs at all companies. That is, whether the board has the flexibility to make compensation adjustments when a cyber event occurs.

The article argues that boards should have the freedom to adjust earned compensation based on a qualitative assessment that considers whether the related cyber risk was avoidable, the level of communication to the board, whether mitigation plans were implemented and the appropriateness of management’s situation-specific judgment calls. For example, this WSJ article highlighted one company with no cybersecurity metrics in its executive compensation programs whose board canceled short-term incentive bonuses for certain top executives after a significant cyber event.

Clawbacks may play a role here as well. Here’s an excerpt from the Semler Brossy article:

In addition to developing a framework for determining adjustments to current-year compensation, boards should review the clawback language to assess where there is flexibility to claw back compensation, if appropriate (e.g., the breach was caused by gross negligence or reasonable mitigation steps were not taken to limit damage after the breach). In considering whether to add such a clawback, and the appropriate language, a review of risk clawbacks added by many large financial institutions after the financial crisis may also be informative.

– Meredith Ervine