Repeated data breaches and executive compensation

Cybersecurity risk has become a more severe issue among firms, especially after the outbreak of COVID-19. Executive compensation has been documented in the literature as a channel to adjust executive risk-taking behaviours. In this paper, we examine whether or not, and if so, how firms change executive compensation after experiencing repeated data breaches. We find that firms decrease the total compensation of CEOs after suffering from repeated data breaches. The non-cash incentive compensation of CEOs decreased at the same time. On the other hand, our results show that firms increase the total compensation of non-CEO executives after experiencing repeated data breaches, and the increase is concentrated on the non-cash incentive component. Our empirical findings indicate that firms tend to penalize CEOs and mitigate their risk-taking activities after repeated data breaches while incentivizing non-CEO executives to take effective measures to improve cybersecurity and recover from data breach-caused damages.