Posted by Phil Yores, WTW, on
Monday, November 10, 2025 *
Phil Yores is a Senior Director at WTW. This post is based on a WTW memorandum by Mr. Yores, Zach Georgeson, and Becky Huddleston.
When the ebb and flow of cybersecurity goes wrong, even a well-prepared company can be surprised by a new form of exploit. Strong systems and practices are table stakes, as the risks of getting it wrong are significant and the potential costs are material and lasting. Expecting and responding to disruption has become the normal course of business.
So, should companies — and, more specifically, boards of directors — pay employees for non-events or penalize for the inevitable?
Two key questions bring this subject to life in corporate boardrooms:
1…
Posted by Phil Yores, WTW, on
Monday, November 10, 2025 *
Phil Yores is a Senior Director at WTW. This post is based on a WTW memorandum by Mr. Yores, Zach Georgeson, and Becky Huddleston.
When the ebb and flow of cybersecurity goes wrong, even a well-prepared company can be surprised by a new form of exploit. Strong systems and practices are table stakes, as the risks of getting it wrong are significant and the potential costs are material and lasting. Expecting and responding to disruption has become the normal course of business.
So, should companies — and, more specifically, boards of directors — pay employees for non-events or penalize for the inevitable?
Two key questions bring this subject to life in corporate boardrooms:
- Should incentive plans directly include a cybersecurity metric for top company officers, or is the impact on “earnings” sufficient to reflect the occurrence?
- How should boards and board committees consider the impact of cyber attacks on incentive plan outcomes?
Risk mitigation: Let good governance be your guide
Key tenets of good governance call for actions, policies and processes aimed at mitigating risk, and it all starts at the top. Building seasoned board — those with years of experience and a diverse perspective on the many aspects of business — is critical.
Recently, as they are rounding out the necessary complement of board skills, most companies have focused on building or hiring board members with expertise in cybersecurity. Strong processes, including regular reviews by, reporting to and education of the board, will enhance the effectiveness of the oversight function and risk mitigation. Again, strong cybersecurity oversight has become table stakes for board and committee work plans.
Turning attention inward to the specific cyber environment of a company, management takes over the day-to-day of the systems, processes and plans to address material threats. Monitoring management practices regarding cybersecurity has become a necessary — and fundamental — part of risk management at the board level.
The sophistication of cyber attacks is proliferating, requiring continuous improvement and increased resources (both financial and human) within corporations. While insurance is an important element of risk mitigation, it likely isn’t enough to demonstrate thoughtful preparation. Adding transparency, insight and experiences to the tool chest will support better outcomes.
Compensation design
Strong financial outcomes and sophisticated business strategies can be measured in detail and generate expectations for performance with a good deal of accuracy. However, the same is not true for what should be an anomaly.
Designing your way out of every potential business situation has never been the objective. A strong plan addresses all the “known knowns” very well. Conversely, most plans are not very good at addressing the “known unknowns” (at least, in advance).
A strong plan design considers the potential for uncertainty in key areas that drive financial performance. Most plan designs do not (and probably should not) directly anticipate events with a relatively low probability of occurring BUT could have a significant impact on business results if they occur. This is when business judgment and discretion have a very real and legitimate place in compensation governance.
The very nature of a cybersecurity event requires careful evaluation to assess fairly and appropriately when it comes to compensation. Automating the compensation outcome through design seems to be a recipe for disappointment. Each incident is unique, particularly because companies that suffer attacks also have very different incentive plan designs.
Furthermore, the cost impact can be varied and incurred over time. This could include:
- Direct remediation costs at the time of the attack
- Business interruption costs
- Longer term investments in security systems and processes
- Litigation and settlement reserve and costs
Assessing the full scope at the time of the incident may not always be fulsome.
Shareholder alignment
With jobs, annual bonuses, long-term incentives (LTIs) and, in many cases, significant portions of personal wealth tied to share price, executives already are well aligned with shareholders (or should be). There is a clear incentive to ensure that they protect shareholders from the potentially material adverse effects of a cybersecurity event.
So, when an event occurs, management should automatically feel the pain in a well-constructed and deployed compensation arrangement. The need for additional penalties may (or may not) be warranted. Clearly, though, the board has a responsibility to understand the impact and assess whether their existing tools are responding appropriately. Perhaps the share ownership guidelines and performance-based LTI plans have provided sufficient “alignment” — in this case, a penalty.
Beyond compensation tools, the board also will review the unintended consequences of those programs: Has the event caused an outsized impact on pay? Is retention a risk that has been introduced or compounded by the event? Incorporating a specific and direct cybersecurity metric (and targets) in incentive plans presumes clear identification of relevant measures, a clear line of sight for management impact, and a sense of fairness and equity for all stakeholders.
While some fundamental best practices exist, unfortunately preparation and measurement are most effective with the benefit of hindsight. Setting direct measures is fraught with challenges and the knowledge that the event — should it arise — is likely to look very different.
Post-event evaluation has the highest likelihood of a reasonable outcome because most of the information about strengths and weaknesses of preparation and response will be known and can be evaluated appropriately to determine the impact on incentive pay.
Boards already have some tools at their disposal that can support the evaluation of a cybersecurity event, including discretionary powers (as reluctantly as they may be deployed) and clawback provisions — the better-late-than-never catch-all. Expecting the board to predict and measure events in advance for formulaic insertion in an incentive program may be a step too far, at least for material breaches stemming from unfamiliar attacks.
With the unpredictable nature of cybersecurity events, the potential impact varying significantly, and the tools already in place playing a role in setting the tone for executives, this is an area in which the board’s business judgment will be paramount in determining the appropriate response and outcome. Balancing business needs, shareholder alignment and the broader cohort of stakeholders (i.e., customers, employees, community and so on), the board’s role will be imperative to a positive resolution, and they need the latitude to do the right thing.