Microsoft Ties Executive Bonuses to Cybersecurity Performance
Share
Microsoft is making cybersecurity a key factor in executive compensation. In a move designed to strengthen its security posture, the company announced that starting in fiscal year 2025 (beginning July 1st, 2024), one-third of senior executives’ annual bonuses tied to “individual performance” will be directly linked to their cybersecurity efforts.
This decision comes after criticism surrounding Microsoft’s handling of major cybersecurity breaches. A notable example is the summer 2023 intrusion of Microsoft Exchange Online by a Chinese state-sponsored group (Storm-0558). This attack compromised the mailboxes of over 500 people, including prominent US government officials.
Investigations following the breach revealed shortcomings in Microsoft’s security practices. A report by the Department of Homeland Security (DHS) and the Cyber Safety Review Board (CSRB) identified a “corporate culture that deprioritized enterprise security investments.” The report also highlighted missed opportunities to prevent the attack, such as outdated key rotation protocols and a lack of essential security controls.
The new bonus structure aims to incentivize stronger cybersecurity leadership. The Board’s compensation committee, along with an independent third party, will evaluate executives’ cybersecurity performance. This evaluation will influence the “individual performance” portion of their bonuses.
Microsoft is also taking immediate action for the current fiscal year. The Compensation Committee will explicitly consider each senior leader’s cybersecurity performance in their annual assessments. Additionally, the Board retains the right to further adjust compensation based on overall performance.
This move by Microsoft reflects a growing trend of companies prioritizing cybersecurity. As cyberattacks become more sophisticated, businesses are increasingly recognizing the importance of robust security measures. By tying executive compensation to cybersecurity performance, Microsoft is sending a clear message that security is a top priority.