CEOs get paid more - not less - after cybersecurity breaches

Firms likely to invest in current management to address structural flaws, rather than firing CEO or docking their pay, study finds

The logic that heads will roll in the boardroom in the aftermath of a cybersecurity breach has been turned on its head by new research suggesting that such incidents actually fuel higher CEO pay.

Far from being fired, CEOs of breached firms were found to be more likely to receive an increase in total and incentive pay several years after an incident, the study, by researchers at Warwick Business School, found.

In contrast, average CEO pay at firms that were not targeted by hackers fell by more than $2m per year over the same five year period, according to the study.

In a blow for shareholders, the security breaches studied did have a lasting impact on the way firms were run, however, with affected firms typically paying lower dividends and investing less in research and development up to five years after the attack.

"Firms that suffer a data breach do not typically respond by firing the management, but by investing more in the existing CEO. At first sight, these results may look puzzling," said Daniele Bianchi, assistant professor of finance at Warwick Business School.

"However, they are consistent with the idea that the average response is to invest more in the management to address possible structural flaws, as well as maintaining the integrity of the firm in response to the reputational damage it has suffered.

"In the long run security breaches appear to have a more significant impact on firms' strategies and policies than their cash flow."