Should CEOs Lose Pay For Cybersecurity Failures?

Given all the cybersecurity failures we’ve witnessed thus far, could it be any more clear that our legal and governance incentives and mechanisms for preventing and dealing with cybersecurity attacks are not properly aligned? Here’s the latest data point: The CEO of TalkTalk was paid almost £2 million on top of her base pay of £550,000 in 2015 which included TalkTalk’s latest cyber attack and resulting loss of 95,000 subscribers.

TalkTalk

I came across this news over at the CFO Network group on LinkedIn where Conor Marken recently posted a link to an article entitled Fine Firms For Cyber Security Failures. The article reports that in the UK, members of parliament recently considered whether companies should be fined if they fail to guard against cyber attacks. This comes as they discuss last year’s TalkTalk hack. Here’s the best line:

The committee also recommended that CEOs’ pay should be linked to effective cyber security;

Great sentiment, but who knows if that would really work? Linking CEO pay to other performance factors hasn’t turned out as well as we hoped. Harvard Business Review was sour on the whole idea as early as 1999. And here’s their latest take on it: Stop Paying Executives for Performance.

I’m not sure what the big fix is for the fact that many of the same qualities of the Internet that lets Amazon dominate are the same ones that are fueling the rise of online criminals (bullies): Low-cost, global reach, mostly automated, and largely anonymous. However, it is clear that the legal and governance incentives and mechanisms are not properly aligned.

So, what should we do?