Microsoft was slammed for its lax cyber security practices after a series of breaches — now it plans to cut executive bonuses if they don't improve standards

Microsoft has announced a new tactic to ensure it gets buy-in from business leaders on transforming its security culture after several high-profile security blunders exposed a cavalier approach to its cyber posture.

Executive bonuses will now be tied to their departments’ security performance and reviewed by an independent cyber board before they are paid out each year, according to Brad Smith, vice chair and president of Microsoft.

Smith revealed the planned adjustment to the company’s executive pay structure via written testimony ahead of his hearing in front of the US house committee last week. 

The hearing saw the Microsoft president testify on a series of ‘cyber security shortfalls’ highlighted in a report into the company’s  “lax corporate culture” in light of the 2023 Summer Exchange Intrusion.

The attack saw a state-backed Chinese threat collective known as Storm-0558 access the mailboxes of 22 organizations and 500 individuals, some of whom were senior US government officials including Secretary of State for Commerce Gina Raimondo.

The Department of Homeland Security issued a report based on an independent review of Microsoft’s conduct during the incident by the Cyber Safety Review Board, which found the company’s security strategy was lacking. The review noted it was still unable to provide details on exactly how the breach occurred almost a year later.

This has led to the promise of significant culture changes geared towards security, one of which is the decision to tie executive bonuses to their security performance. 

According to Smith’s submission, one-third of the ‘individual performance’ portion of their bonuses in the new financial year will be tied to a review of their cyber security work by the board’s compensation committee, which will take into account the opinion of an unidentified independent third-party.

String of security failures force Microsoft to show it is making changes

The 2023 Summer Exchange Intrusion is not the only incident attracting all the wrong attention for Microsoft in recent years.

The report from the Cyber Safety Review Board also noted Microsoft suffered another attack in January 2024 that gave a nation-state affiliated threat group, Midnight Blizzard, access to corporate accounts in a password spraying attack.

The recent announcement and subsequent delay of its Recall feature, that uses AI to continually screenshot the device so users can search back through their activities after security concerns, is just another example of the company missing the mark when it comes to cyber security, some industry experts have claimed.

Microsoft was forced to roll back the capability and reassure users it would no longer be part of the official launch of its anticipated Copilot+ PC range, saying it would conduct further testing on the product before rolling it out.

Going back slightly further, a former Microsoft security architect has blown the whistle saying the firm chose to ignore early warnings about the flaw attackers exploited to deploy the SolarWinds attack that disrupted thousands of organizations in 2020.

The strongest accusations were made against a number of product leaders at the company, who the whistleblower accused of prioritizing minimizing business fallout over cyber resilience when they were made aware of a critical security vulnerability.

The tech giant will hope by hitting executives where it hurts if they fail to pull their weight in the company-wide push, will tighten some of the loose ends that have been hurting its security posture over the last few years.