When the ebb and flow of cybersecurity goes wrong, even a well-prepared company can be surprised by a new form of exploit. Strong systems and practices are table stakes, as the risks of getting it wrong are significant and the potential costs are material and lasting. Expecting and responding to disruption has become the normal course of business.

So, should companies — and, more specifically, boards of directors — pay employees for non-events or penalize for the inevitable?

Two key questions bring this subject to life in corporate boardrooms:

1. Should incentive plans directly include a cybersecurity metric for top company officers, or is the impact on “earnings” sufficient to reflect the occurrence?
2. How should boards and board committees consider the impact of cyber attacks on incentive plan outcomes?

(more…)