Microsoft’s vice chair and president disclosed that cybersecurity awareness will shape top executives’ annual bonuses.
This revelation comes before a US House committee hearing on Microsoft’s security measures. Brad Smith, in his testimony addendum, outlined this novel approach.
Senior executives’ bonuses, traditionally influenced by “individual performance,” will now partly hinge on cybersecurity efforts. Starting July 1, for fiscal year 2025, a third of this metric will assess their cybersecurity contributions.
The board’s compensation committee, aided by an independent entity, will conduct evaluations. Smith noted that adjustments to bonus calculations may also affect the current fiscal year.
Cybersecurity performance will factor into the Compensation Committee’s executive assessments for the year ending June 30. The Board retains discretion over compensation adjustments based on cybersecurity accountability.
Recently, Microsoft faced criticism for handling cybersecurity poorly. In the summer of 2023, a PRC-backed group, Storm-0558, breached Microsoft Exchange Online. They accessed mailboxes across 22 organizations, affecting over 500 individuals including US officials.
A DHS and CSRB report deemed the attack preventable. It highlighted Microsoft’s lax security culture and inadequate risk management. The company’s failure to update a 2016 key and missing critical security controls allowed the breach.
Microsoft’s mixed messages during the incident added to the scrutiny. Initially citing a “crash dump” as the key theft method, they later retracted this claim.
Dmitri Alperovitch of CSRB emphasized the urgency for cloud providers to adopt recommendations against nation-state threats.
