Microsoft set to dock bosses' pay — if they haven't shown good cybersecurity performance

Image Credit: Shutterstock (Image credit: Shutterstock)

The annual bonuses of Microsoft’s highest-ranking workers officers’ annual bonuses will depend on how mindful they were of cybersecurity, the company's vice chair and president has revealed

Ahead of the US House committee hearing on Microsoft’s security practices this week, Brad Smith submitted an addendum to his written testimony, in which he detailed the upcoming innovation. 

The company’s senior executives, who frequently meet with the CEO, have their annual bonuses calculated based on a number of factors, including something called “individual performance”.

Deprioritized enterprise security

For the fiscal year 2025, which starts on July 1, a third of this “individual performance” part will be directly linked to the review of their cybersecurity work. The review will be done by the board’s compensation committee, but will also include the opinion of an unidentified, independent third party.

Some changes to the bonus structure might also make it into this fiscal year, Smith explained:

“The Board also decided that for the current fiscal year, which ends on June 30, the Compensation Committee will consider explicitly each SLT member’s cybersecurity performance when it makes its annual assessment of the executive’s performance,” he wrote. “Beyond the design changes to our executive pay program to include a greater accountability for cybersecurity, the Board also has the ability to exercise downward discretion on compensation outcomes as it deems appropriate.”

Microsoft has come under a lot of fire lately, for its allegedly poor handling of major cybersecurity incidents. 

In the summer of 2023, Microsoft Exchange Online was hit in a series of intrusions by a People's Republic of China (PRC) backed actor tracked as Storm-0558, who gained access to the mailboxes of 22 organizations. The mailboxes were used by over 500 people, and compromised a number of US government representatives including Commerce Secretary Gina Raimondo, US Ambassador to the PRC R. Nicholas Burns, and Congressman Don Bacon.

The attack has since been found to have been preventable, according to a report by the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB), stating that there were decision made pointing to “a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations.”

The review found that Microsoft’s negligence in signing key rotation resulted in a 2016 key remaining active in 2023. Furthermore, a number of critical security controls that were standard practice for other CSPs at the time of the attack were not in place, which could have detected and prevented an intrusion of this scale.

Microsoft were also found to have issued conflicting communications at the time of the incident, stating that the 2016 key was likely stolen during a “crash dump,” then later stating that there was no evidence to suggest the key was stolen in this scenario.

CSRB Acting Deputy Chair Dmitri Alperovitch said, “This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government. Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from nation-state actors.”


More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.