A study into cybersecurity breach pay has found that in the aftermath of a cyberattack or other similar security breach, bosses are more likely to be given a pay rise.

The research by Warwick Business School also found that shareholders were more likely to receive lower dividends after an attack.

Companies were also more likely to cut research and development in the five years following such an incident.

Cybersecurity breach pay sees bosses benefit from a cyberattack

The research, which involved analysis of data breaches at 41 publicly listed companies between 2004 and 2016, upends conventional wisdom that senior executives suffer as a result of a cyberattack.

It found that CEOs were no more likely to be fired following a cyberattack than at any other time.

However, they were also more likely to receive an increase in both total and incentive-related pay over the following five years.

By contrast, the average pay of CEOs at companies that were not victim of a cyberattack dropped by over $2m during the same period – indicating that a cyberattack is profitable for CEOs to endure.

Do you see impact on recruitment in your company due to COVID-19 pandemic?

View Results

Loading ... Loading ...

“Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling,” commented Daniele Bianchi, assistant professor of finance at Warwick Business School.

“However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.

“In the long run security breaches appear to have a more significant impact on firms’ strategies and policies than their cash flow.”

Impact of GDPR?

Notably, this research covers a period prior to the enforcement of GDPR, under which companies operating in the EU are now compelled to report key data breach details within a fixed – and short – timeframe.

As these incidents all occurred during a period before this was mandatory, the situation may change in the future.

“Incidents of security breaches that reveal sensitive and confidential information can lead to litigation and government sanctions, but also to a loss of competitive edge against competitors through a reduction of resources dedicated to R&D, dividend payments, or investments more generally,” said Onur Tosun, assistant professor of finance at Warwick Business School.

“For this reason, companies are often reluctant to reveal information about security breaches due to fear of both short-term and long-term market reactions. However, many firms won’t have a choice with tighter regulations demanding that firms report data breaches within 72 hours.

“Cybersecurity will therefore become an increasingly important consideration for companies to avoid the damaging fallout once a breach is made public.”


Read more: Data breach incidents quadrupled in 2018 as hackers turned on small businesses