Microsoft faces criticism from government and competitors after a "preventable" hack exposes executive pay to cyber threats.

• Microsoft has been criticized by both the U.S. government and rival tech companies such as Google and CrowdStrike for its inability to prevent a Chinese hack of its systems.
• Microsoft is now linking its executive pay to a successful cybersecurity strategy.
• Microsoft's unconventional approach to compensating top business leaders has sparked discussions among other companies regarding pay for their executives.

Microsoft is facing criticism from the U.S. government and competitors over its inability to prevent a Chinese cyberattack on its systems last summer. In response, the tech giant is adjusting its executive compensation to be more closely tied to cybersecurity.

In the summer of 2020, a Microsoft hack was attributed to China by a government review board, which deemed it "avoidable." The Cyber Safety Review Board of the U.S. Department of Homeland Security identified "a chain of mistakes" and a corporate culture at Microsoft that prioritized enterprise security investments and risk management.

Google has published a blog post this week, highlighting the government findings and noting that many vendors, including Google, are already taking proactive measures to protect against tactics mentioned in the report.

CrowdStrike prominently displays the government conclusions on its site.

The number of nation-state attacks from China and Russia is rising, and they are targeting corporations across the economy, the U.S. government, and social infrastructure. Microsoft has been a significant target, with hacks by both Russia and China. As a result, there is growing pressure from the U.S. government for the company to enhance its cybersecurity measures. Brad Smith, Microsoft's top corporate lawyer, has been called to testify on Capitol Hill.

Microsoft is currently facing criticism for its cybersecurity measures after a hack of executive email accounts in January. The company disclosed the incident in compliance with new federal cybersecurity disclosure rules, even though it was not a "material" hack that it was legally required to share. This has led to discussions at other firms about where to draw the line on the new disclosure requirements. Additionally, Microsoft's decision to link executive compensation to successful cybersecurity performance is also being scrutinized by other companies.

Microsoft's Secure Future Initiative, launched in November, aims to instill accountability among its Senior Leadership Team by basing part of their compensation on the company's progress in meeting its security plans and milestones, as outlined in a blog post by Charlie Bell, executive vice president of Microsoft Security.

Microsoft has a "critical responsibility" to prioritize cybersecurity as a company that plays a central role in the world's digital ecosystem. This is part of the company's "important governance changes" to foster a "security-first culture," a Microsoft spokesperson said, but declined to provide specifics on the compensation.

Microsoft's annual meeting proxy, held in December 2023, typically includes limited details on executive compensation performance targets.

Cybersecurity as a core corporate risk and bonus metric

Many corporations now link a portion of annual executive bonuses to goals beyond sales and profit targets, such as ESG metrics. In recent years, Fortune 500 companies like Apple have added bonus pay tied to ESG metrics. Risk management and safety goals have been a part of executive compensation for decades, including in industries such as mining, energy, manufacturing, and industrials, where bonuses were tied to environmental and worker safety.

Since Microsoft introduced cybersecurity-linked executive pay, discussions about this practice have started at other companies, according to Aalap Shah, managing director at executive compensation consultant Pearl Meyer. While it is not a common compensation practice today, he said, he has received phone calls from companies asking if they should adopt it and if it would be effective. These conversations are similar to those that were held a few years ago regarding ESG metrics, and a significant number of companies have adopted them.

Cybersecurity is a critical issue that requires attention, but the case for linking executive compensation to cybersecurity is not as clear-cut as it is for industries such as mining or industrial safety. While cybersecurity is a core concern in many industries, including retail, financial services, and healthcare, the specific roles of executives in ensuring data security may differ.

Tying pay to hacks is a 'good place to start'

Microsoft may need to consider implementing a new executive pay metric to prioritize cybersecurity spending, despite some firms arguing that it is already a part of their culture.

Experts suggest that making executive compensation contingent on meeting cybersecurity goals is a crucial step in fostering a security culture at the top of the corporate hierarchy, which is vital for success.

"Shah emphasized that the message being communicated both internally and externally is crucial to their culture and will likely be adopted by more companies, regardless of the significance of the gain. He stated that the company's goal is to ensure that the message becomes a cultural norm and the way to achieve this is by linking it to compensation."

"Professor of information technology at MIT, Stuart Madnick emphasized the importance of cybersecurity being ingrained in organizational culture. However, prioritizing security within a corporation can be challenging because it often requires investing in areas that may not have a direct impact on the bottom line. Madnick explained that corporate culture often prioritizes other objectives over security and risk management. He pointed out that it can be difficult to determine the level of security when there is no immediate threat. However, if sales increase by 20%, that money can be considered as profit."

Madnick's research reveals that corporate culture gaps are often the root cause of high-profile hacks, not just the Microsoft example. Prevention, he argues, requires both foresight and hindsight. In a recent article, he cited MIT studies on Equifax and Capital One security breaches as other examples. "While some risks are unpredictable and difficult to anticipate, many are more like a burglar alarm that is known to be faulty," he stated.

Equifax and Capital One did not respond to requests for comment.

According to Madnick, corporate decision-making is often systematic and semi-conscious, which means that management does not analyze the cyber risks associated with their decisions. Although tying executive compensation to security goals may not completely eliminate this approach from corporate culture, it has symbolic significance, and from that symbolic register, practical changes may follow.

'An annoyance and a profit center'

Microsoft's platforms and systems are so essential that it's nearly impossible to function without them. As Ryan Kalember, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint, stated, "There's no alternative to Microsoft from a productivity standpoint. You have to do insane things to try to work without it."

The complexity of Microsoft's unavoidability is further compounded by the layered nature of its platforms, with each iteration building upon legacy applications from the 90s, before the emergence of modern security threats.

The government has urged the largest and oldest tech companies to update their systems, which are crucial for both businesses and consumers. In a CNBC interview last year, Cybersecurity and Infrastructure Security Agency director Jen Easterly compared cybersecurity to automotive regulations and emphasized the need for technology companies to create secure products by design and default, with safety features built in.

Traditional security measures are not compatible with deploying a new system entirely, but legacy platforms are easier to plug into and build on, according to Kalember.

The architectural principles of some legacy systems were designed when ransomware was not a significant threat, except on floppy disks. This has resulted in the company accumulating significant "technical debt" over several decades, which can be exploited by nation-states and foreign intelligence agencies to steal sensitive information.

Microsoft faces a dilemma as it grapples with two opposing forces, with security being viewed as both a source of irritation and a lucrative venture. As the world's largest cybersecurity provider, Microsoft generated $20 billion in annual revenue last year. While the compensation move may be well-intentioned, it is challenging to evaluate its effectiveness without specifics.

No details on how Microsoft pay will be influenced

The lack of specifics regarding the compensation formula makes it challenging to accurately assess the incentive. Many corporations that have implemented ESG metrics have done so solely in the bonus portion of executive compensation, rather than the long-term incentive plan, which is far more substantial. "That's putting your money where your mouth is," Shah remarked.

How much are you really tying cyber to 20% of overall compensation when it is divided into several metrics? Shah asked.

Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that's where these types of non-core financial metrics are low in prevalence. However, it can be challenging for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy, and data breaches that can be measured like sales and profit. "It will be a challenge," Shah said. "Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure not only the relevance is there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it's subjective, then it is less meaningful for shareholders."

Boards of directors have the power to hold executives accountable for their performance, including data breaches, and adjust bonuses accordingly. While this type of bonus incentive/punishment has primarily been limited to chief information security officers, it could be adopted more broadly as good PR to show that security is a top priority across the entire executive suite. However, Doonan believes that a better approach to improving corporate defense would be to save the bonus pool and invest those dollars into security programs.