In a significant move toward accountability, Qantas Airways has reduced short-term bonuses for its executive leadership, cutting 15% from their pay in light of a recent cyber breach that compromised customer data for millions. So, what happened, and what does it all mean for CISOs, their teams, and the broader corporate ecosystem?
Qantas slashed short-term bonuses in fiscal 2025 for its top executives, including CEO Vanessa Hudson, by 15%, amounting to an A$250,000 cut for the CEO and a combined A$550,000 for other executives.
Despite the cut, Hudson's total pay rose year-over-year—from A$4.4 million to A$6.3 million—fueled by strong post-pandemic travel demand and robust financial performance.
The data breach—traced to Qantas' call center in Manila, Philippines, in late June 2025—exposed sensitive information, including names, email addresses, phone numbers, birth dates, and frequent flyer numbers of up to six million customers.
In statements, Qantas emphasized its commitment to "accountability and transparency," noting that despite ongoing investigations, it was important that remuneration consequences be addressed in the current fiscal year.
This rare instance of using compensation adjustment as damage control sends a clear message: cybersecurity failures are now personal and material to leadership. Boards are signaling that poor cyber governance can affect executive pay.
Critics highlight that despite the cut, Hudson's paycheck still rose significantly due to broader performance improvement. Without tying incentives directly to sustained cybersecurity performance, such penalties may lean toward optics rather than resilience-building measures.
The measure could influence governance elsewhere: insurers and investors increasingly demand that executive incentives reflect cybersecurity maturity, not just financial outcomes. A similar ethos is becoming embedded in ESG and risk frameworks.
For CISOs and their teams, boards, executives, and overall security strategy, there are implications for each stakeholder. For CISOs and their teams, expect closer collaboration with boards and HR, as cyber risk is now a performance risk driving financial outcomes.
For boards and executives, they must integrate cybersecurity into KPIs and incentive programs—not as an afterthought, but as a business-critical metric.
Security strategy must include strengthened governance, demonstrated preparedness, and robust incident response—all part of executive accountability.
Kip Boyle, Founder and CISO, Cyber Risk Opportunities LLC, wrote a post on LinkedIn about the news:
"When was the last time you saw a CEO's pay cut because of a data breach?
That's exactly what happened at Qantas after their board reviewed the fallout from a major cyber incident.
Instead of treating it as 'just an IT issue,' the board linked executive accountability directly to cyber risk management; reducing the CEO's compensation package as a result.
This move signals a turning point in corporate governance: Cyber risk is now being treated with the same weight as financial or legal risk.
For executives and boards everywhere, the message is clear: It's no longer only about patching systems. It's about building trust, resilience, and accountability at the highest levels.
Do you think more boards should link executive pay to cybersecurity performance?"
There are some broader implications moving forward. Organizations may now consider linking executive compensation to meaningful cybersecurity metrics, such as breach reduction, response readiness, and resilience measures.
As insurers point to Qantas, investor scrutiny over cyber risk and governance is expected to grow. These incentives might be used to evaluate client maturity in underwriting discussions.
Lessons from academia suggest that meaningful risk-linked compensation works when embedded in performance cycles—not punitive responses after breaches. For boards and CISOs, this means building long-term cybersecurity KPIs, scorecard-based reporting, and clear remediation pathways to enforce performance.
"The last headline I can recall about a CEO being held responsibility for a breach dates back to the Target breach in 2013 when the CEO was forced to step down the following year," said John Watters, CEO at iCOUNTER. "It will certainly be interesting to see if this is a once-a-decade event or if it becomes the norm moving forward."
"Cybersecurity is the responsibility of everyone within the organization, and accountability for this starts with the CEO," said Dave Gerry, CEO at Bugcrowd. "Oftentimes, it's easy to point the finger at the various technology teams—including the CISO—but the reality is that the accountability for funding, prioritizing, and evangelizing security practices sits with the CEO and senior leadership team."
"Demonstrating that there is a financial impact for the CEO sends a clear message to shareholders that cybersecurity is a business enabler, protecting customers' data is of paramount importance, and the CEO is taking ownership of ensuring that the business does everything possible to uphold the trust placed in them by their customers," Gerry said.
