Microsoft was slammed for its lax cyber security practices after a series of breaches — now it plans to cut executive bonuses if they don't improve standards
One-third of Microsoft executive bonuses will only be paid out after a review from an independent third party, according to president and vice chair Brad Smith


Microsoft has announced a new tactic to ensure it gets buy-in from business leaders on transforming its security culture after several high-profile security blunders exposed a cavalier approach to its cyber posture.
Executive bonuses will now be tied to their departments’ security performance and reviewed by an independent cyber board before they are paid out each year, according to Brad Smith, vice chair and president of Microsoft.
Smith revealed the planned adjustment to the company’s executive pay structure via written testimony ahead of his hearing in front of the US house committee last week.
The hearing saw the Microsoft president testify on a series of ‘cyber security shortfalls’ highlighted in a report into the company’s “lax corporate culture” in light of the 2023 Summer Exchange Intrusion.
The attack saw a state-backed Chinese threat collective known as Storm-0558 access the mailboxes of 22 organizations and 500 individuals, some of whom were senior US government officials including Secretary of State for Commerce Gina Raimondo.
The Department of Homeland Security issued a report based on an independent review of Microsoft’s conduct during the incident by the Cyber Safety Review Board, which found the company’s security strategy was lacking. The review noted it was still unable to provide details on exactly how the breach occurred almost a year later.
This has led to the promise of significant culture changes geared towards security, one of which is the decision to tie executive bonuses to their security performance.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
According to Smith’s submission, one-third of the ‘individual performance’ portion of their bonuses in the new financial year will be tied to a review of their cyber security work by the board’s compensation committee, which will take into account the opinion of an unidentified independent third-party.
String of security failures force Microsoft to show it is making changes
The 2023 Summer Exchange Intrusion is not the only incident attracting all the wrong attention for Microsoft in recent years.
The report from the Cyber Safety Review Board also noted Microsoft suffered another attack in January 2024 that gave a nation-state affiliated threat group, Midnight Blizzard, access to corporate accounts in a password spraying attack.
The recent announcement and subsequent delay of its Recall feature, that uses AI to continually screenshot the device so users can search back through their activities after security concerns, is just another example of the company missing the mark when it comes to cyber security, some industry experts have claimed.
Microsoft was forced to roll back the capability and reassure users it would no longer be part of the official launch of its anticipated Copilot+ PC range, saying it would conduct further testing on the product before rolling it out.
RELATED WHITEPAPER
Going back slightly further, a former Microsoft security architect has blown the whistle saying the firm chose to ignore early warnings about the flaw attackers exploited to deploy the SolarWinds attack that disrupted thousands of organizations in 2020.
The strongest accusations were made against a number of product leaders at the company, who the whistleblower accused of prioritizing minimizing business fallout over cyber resilience when they were made aware of a critical security vulnerability.
The tech giant will hope by hitting executives where it hurts if they fail to pull their weight in the company-wide push, will tighten some of the loose ends that have been hurting its security posture over the last few years.
Solomon Klappholz is a former Staff Writer at ITPro adn ChannelPro. He has experience writing about the technologies that facilitate industrial manufacturing which led to him developing a particular interest in IT regulation, industrial infrastructure applications, and machine learning.
-
Security experts issue warning over the rise of 'gray bot' AI web scrapers
News While not malicious, the bots can overwhelm web applications in a way similar to bad actors
By Jane McCallion Published
-
Does speech recognition have a future in business tech?
Once a simple tool for dictation, speech recognition is being revolutionized by AI to improve customer experiences and drive inclusivity in the workforce
By Jonathan Weinberg Published
-
So long, Defender VPN: Microsoft is scrapping the free-to-use privacy tool over low uptake
News Defender VPN, Microsoft's free virtual private network, is set for the scrapheap, so you might want to think about alternative services.
By Nicole Kobie Published
-
Hackers are on a huge Microsoft 365 password spraying spree – here’s what you need to know
News A botnet made up of 130,000 compromised devices has been conducting a huge password spraying campaign targeting Microsoft 365 accounts.
By Solomon Klappholz Published
-
Everything you need to know about the Microsoft Power Pages vulnerability
News A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
By Solomon Klappholz Published
-
Microsoft is increasing payouts for its Copilot bug bounty program
News Microsoft has expanded the bug bounty program for its Copilot lineup, boosting payouts and adding coverage of WhatsApp and Telegram tools.
By Nicole Kobie Published
-
Hackers are using this new phishing technique to bypass MFA
News Microsoft has warned that a threat group known as Storm-2372 has altered its tactics using a specific ‘device code phishing’ technique to bypass MFA and steal access tokens.
By Solomon Klappholz Published
-
A new phishing campaign is exploiting Microsoft’s legacy ADFS identity solution to steal credentials and bypass MFA
News Researchers at Abnormal Security have warned of a new phishing campaign targeting Microsoft's Active Directory Federation Services (ADFS) secure access system.
By Solomon Klappholz Published
-
Hackers are using Microsoft Teams to conduct “email bombing” attacks
News Experts told ITPro that tactics like this are on the rise, and employees must be trained effectively
By George Fitzmaurice Published
-
Microsoft files suit against threat actors abusing AI services
News Cyber criminals are accused of using stolen credentials for an illegal hacking as a service operation
By Solomon Klappholz Published