Microsoft Ties Executive Bonuses to Cybersecurity Performance

Microsoft has announced that the annual bonuses of its top executives will now be tied to their cybersecurity performance. This change was revealed by Brad Smith, Microsoft’s vice chair and president, ahead of a US House committee hearing on the company's security practices.

Deprioritized enterprise security

Starting in fiscal year 2025, which begins on July 1, one-third of the "individual performance" component of senior executives' bonuses will be directly linked to their cybersecurity efforts. This evaluation will be conducted by the board’s compensation committee, with input from an independent third party. Some adjustments to the bonus structure might also be applied in the current fiscal year ending June 30.

Smith noted that the board has also decided to explicitly consider each senior leadership team member’s cybersecurity performance in its annual assessments. Beyond incorporating cybersecurity into the executive pay program, the board retains the discretion to adjust compensation based on performance outcomes.

This move comes in response to significant criticism over Microsoft’s handling of cybersecurity incidents. Notably, in the summer of 2023, a Chinese state-sponsored group known as Storm-0558 breached Microsoft Exchange Online, accessing the mailboxes of 22 organizations, including US government officials. A report by the Department of Homeland Security and the Cyber Safety Review Board attributed the breach to a corporate culture that deprioritized security investments.

The investigation found that Microsoft failed to rotate a key from 2016, which remained active until the breach in 2023. Additionally, the company lacked critical security controls that could have detected and prevented the intrusion. Microsoft’s conflicting communications about the incident further compounded the issue.

Dmitri Alperovitch, Acting Deputy Chair of the CSRB, emphasized the threat posed by nation-state actors and urged cloud service providers to implement robust security measures to protect their customers.