Should CEOs Lose Pay For Cybersecurity Failures?

Given all the cyber­se­cu­ri­ty fail­ures we’ve wit­nessed thus far, could it be any more clear that our legal and gov­er­nance incen­tives and mech­a­nisms for pre­vent­ing and deal­ing with cyber­se­cu­ri­ty attacks are not prop­er­ly aligned? Here’s the lat­est data point: The CEO of Talk­Talk was paid almost £2 mil­lion on top of her base pay of £550,000 in 2015 which includ­ed Talk­Talk’s lat­est cyber attack and result­ing loss of 95,000 sub­scribers.


I came across this news over at the CFO Net­work group on LinkedIn where Conor Marken recent­ly post­ed a link to an arti­cle enti­tled Fine Firms For Cyber Secu­ri­ty Fail­ures. The arti­cle reports that in the UK, mem­bers of par­lia­ment recent­ly con­sid­ered whether com­pa­nies should be fined if they fail to guard against cyber attacks. This comes as they dis­cuss last year’s Talk­Talk hack. Here’s the best line:

The com­mit­tee also rec­om­mend­ed that CEOs’ pay should be linked to effec­tive cyber secu­ri­ty;

Great sen­ti­ment, but who knows if that would real­ly work? Link­ing CEO pay to oth­er per­for­mance fac­tors has­n’t turned out as well as we hoped. Har­vard Busi­ness Review was sour on the whole idea as ear­ly as 1999. And here’s their lat­est take on it: Stop Pay­ing Exec­u­tives for Per­for­mance.

I’m not sure what the big fix is for the fact that many of the same qual­i­ties of the Inter­net that lets Ama­zon dom­i­nate are the same ones that are fuel­ing the rise of online crim­i­nals (bul­lies): Low-cost, glob­al reach, most­ly auto­mat­ed, and large­ly anony­mous. How­ev­er, it is clear that the legal and gov­er­nance incen­tives and mech­a­nisms are not prop­er­ly aligned.

So, what should we do?

Please note: I reserve the right to delete comments that are offensive or off-topic.