The annual bonuses of Microsoft's highest-ranking employees will depend on how aware they are of cybersecurity, the company's vice president and president revealed.
Ahead of the US House of Representatives committee's hearing on Microsoft's security practices this week, Brad Smith submitted an addendum to his written testimony, in which he detailed the upcoming innovation.
The company's top executives, who meet frequently with the CEO, calculate their annual bonuses based on a number of factors, including something called “individual performance.”
Business security without priority
For fiscal year 2025, which begins July 1, one-third of this “individual performance” portion will be directly tied to the review of your cybersecurity work. The review will be conducted by the board's compensation committee, but will also include input from an independent, unnamed third party.
Some changes to the bonus structure could also be included in this fiscal year, Smith explained:
“The Board also decided that for the current fiscal year, which ends June 30, the Compensation Committee will explicitly consider the cybersecurity performance of each SLT member when making its annual evaluation of the executive's performance,” he wrote. “Beyond the design changes to our executive compensation program to include greater accountability for cybersecurity, the Board also has the ability to exercise downward discretion over compensation outcomes as it deems appropriate.”
Microsoft has come under a lot of criticism lately for its alleged mishandling of major cybersecurity incidents.
In the summer of 2023, Microsoft Exchange Online was hit by a series of intrusions by a People's Republic of China (PRC)-backed actor tracked as Storm-0558, which gained access to the mailboxes of 22 organizations. The mailboxes were used by more than 500 people and involved several U.S. government representatives, including Secretary of Commerce Gina Raimondo, U.S. Ambassador to the People's Republic of China R. Nicholas Burns, and Congressman Don Bacon.
The attack has since been found to be preventable, according to a report from the Department of Homeland Security (DHS) and the Cyber Security Review Board (CSRB), which states that decisions were made that pointed to “a corporate culture that deprioritized business security”. investments and rigorous risk management, at odds with the centrality of the company in the technological ecosystem and the level of trust that customers place in the company to protect their data and operations.”
The review found that Microsoft's negligence in signing off on key rotation resulted in a 2016 key remaining active in 2023. Additionally, a number of critical security controls that were standard practice for other CSPs at the time of the attack were missing. implemented, which could have detected and prevented an intrusion of this scale.
Microsoft was also found to have issued conflicting communications at the time of the incident, stating that the 2016 key was likely stolen during a “crash dump”, and later stating that there was no evidence to suggest the key was stolen in this scenario.
CSRB Acting Vice President Dmitri Alperovitch said: “This hacking group affiliated with the People's Republic of China has the ability and intent to compromise identity systems to access sensitive data, including emails of persons of interest to the Chinese government. “Cloud service providers must urgently implement these recommendations to protect their customers against this and other persistent and pernicious threats from state actors.”
Through CNBC