Microsoft plans to moderate bosses’ pay – if they haven’t shown good cybersecurity performance
Microsoft’s top employees’ annual bonuses will depend on how cyber security aware they were, the company’s vice chairman and president has revealed
Ahead of this week’s US House of Representatives committee hearing on Microsoft’s security practices, Brad Smith filed an addendum to his written testimony detailing the upcoming innovation.
The company’s senior managers, who meet regularly with the CEO, have their annual bonuses calculated based on a number of factors, including something called “individual performance.”
Corporate security is no longer a priority
For fiscal year 2025, which begins July 1, one-third of this “individual performance” portion will be directly tied to evaluating their cybersecurity work. The review will be conducted by the board’s compensation committee, but will also include the opinion of an unidentified, independent third party.
Some changes to the bonus structure could also make it this fiscal year, Smith explains:
“The Board of Directors has also determined that for the current fiscal year ending June 30, the Compensation Committee will explicitly consider the cybersecurity performance of each SLT member when making its annual assessment of the executive’s performance,” wrote he. “In addition to the design changes to our executive compensation program to include greater responsibility for cybersecurity, the Board of Directors also has the ability to exercise downward discretion regarding compensation outcomes as it deems appropriate.”
Microsoft has come under a lot of fire lately for its reportedly poor handling of major cybersecurity incidents.
In the summer of 2023, Microsoft Exchange Online was hit by a series of breaches by a People’s Republic of China (PRC)-backed actor called Storm-0558, which gained access to the mailboxes of 22 organizations. The mailboxes were used by more than 500 people and endangered a number of U.S. government representatives, including Commerce Secretary Gina Raimondo, U.S. Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.
The attack has since been found to be preventable, according to a report from the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB), which stated that decisions were made that indicated “a corporate culture that prioritized enterprise security investments and rigorous risk management, which is at odds with the company’s central place in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”
The investigation found that Microsoft’s negligence in signing key rotation led to a key from 2016 remaining active in 2023. Additionally, a number of critical security controls that were standard practice for other CSPs at the time of the attack were not in place, allowing and preventing a breach of this magnitude.
Microsoft also appeared to have made conflicting statements at the time of the incident, stating that the 2016 key was likely stolen in a “crash dump,” and later stating that there was no evidence that the key was stolen in this scenario.
CSRB Acting Vice Chairman Dmitri Alperovitch said: “This PRC-affiliated group of hackers has the ability and intent to compromise identity systems to gain access to sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers from these and other persistent and pernicious threats from national actors.”
Through CNBC