Connect with us

Published

on

Microsoft has come under fire recently from both the U.S. government and rival companies for its failure to stop a Chinese hack of its systems last summer. One change the tech giant is making in response: linking executive compensation more closely to cybersecurity.

In April, a government review board described a hack of Microsoft last summer attributed to China as “preventable.” The U.S. Department of Homeland Security’s Cyber Safety Review Board pointed to “a cascade of errors” and a corporate culture at Microsoft “that deprioritized enterprise security investments and rigorous risk management.”

Competitors have taken advantage of the cyber lapse, with Google publishing a blog post this week highlighting the government findings and noting, “The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report.” 

CrowdStrike prominently displays the government conclusions on its site.

Nation-state attacks from China and Russia are increasing, and targeting corporations across the economy, as well as the U.S. government and social infrastructure. Microsoft has been a very big target, including hacks by Russia and China. There is growing pressure from the U.S. government for the company to improve its cybersecurity protocols, with its top corporate lawyer, Brad Smith, being called to testify on Capitol Hill.

Microsoft is in damage control mode. After a hack of executive email accounts in January attributed to Russian hackers, the company disclosed the incident in compliance with new federal cybersecurity disclosure rules, even though technically it was not a “material” hack that it was required by law to share, leading to discussion at other firms about where to draw the line on the new disclosure. The decision by Microsoft to link executive compensation to successful cybersecurity performance is another is prompting discussions at other firms. 

Microsoft launched its Secure Future Initiative in November, and earlier this month, the company outlined in a blog post from Charlie Bell, executive vice president of Microsoft Security, that as part of its SFI goals it will “instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

A Microsoft spokesperson declined to provide specifics on the compensation, but said as a company which plays a central role in the world’s digital ecosystem, it has a “critical responsibility” to make cybersecurity a top priority. It is part of the company’s “important governance changes [made] to further support a security-first culture,” the spokesperson said. 

Companies often provide more details, though often only limited details, on executive compensation performance targets in annual meeting proxies, which in Microsoft’s case was last held in December 2023.

Cybersecurity as a core corporate risk and bonus metric

It has become more common for corporations to tie a percentage of annual executive bonus payouts to various goals that go beyond meeting sales and profit targets. In recent years, many Fortune 500 companies, including Apple, have added bonus pay tied to ESG metrics. Risk management and safety goals have long been a part of executive compensation, dating back to an era before the rise of ESG — for example, mining and energy companies, as well as manufacturers and industrials, tying bonuses to environmental and worker safety.

The conversations about cybersecurity-linked executive pay have started taking place at other companies since Microsoft made its move, according to Aalap Shah, managing director at executive compensation consultant Pearl Meyer. It’s not prevalent as a compensation practice today, he said, but he added, “post-Microsoft’s announcement, I’ve gotten phone calls asking, ‘Should we do it? Would it work?’ … These conversations are very similar to the ones we were having a few years ago with ESG metrics and a significant percentage of companies adopted them.”

Shah said there is a case to be made that cybersecurity is a core issue that can be equated to mining or industrial safety. But there’s a big difference between a business in cybersecurity and, for example, a retailer, in making this case. And even in industries beyond technology and cybersecurity where keeping data secure is a core issue, such as financial services and health care — which have been targets of high-profile hacks — it’s not a clear case yet to tie executive compensation of the most senior people, such as a chief financial officer or general counsel, to cybersecurity, versus the chief information security officer or chief technology officer, specifically.

Tying pay to hacks is a ‘good place to start’

Some firms will make the case that cybersecurity is already ingrained in their culture and such a move would be redundant, but with the escalation in hacking threats and increased importance of cybersecurity spending to the bottom line of companies like Microsoft, this new executive pay metric may be overdue.

Making executive compensation contingent, to some degree, on meeting cybersecurity aims is a good place to start instilling a security culture at the top of the corporate hierarchy that is fundamental to success, according to experts. 

“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” Shah said. “What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation.”

“Cybersecurity has to be in the culture of the organization,” said Stuart Madnick, professor of information technology at MIT. But prioritizing security can be difficult within a corporation, Madnick said, because it often means putting money into places that aren’t clearly reflected on the bottom line. “Corporate culture prioritizes other things over security and risk management,” Madnick said. “How do you know how secure you are? Maybe no one is targeting you at the time. But if you increase sales by 20%, that’s money in the bank.”

Madnick’s research shows that gaps in corporate culture are often culprits in high-profile hacks, not just the Microsoft example. Prevention, he says, is as much about foresight as hindsight. In a recent article, he cited MIT studies on Equifax and Capital One security breaches of recent years as other prominent examples. “While some risks are true surprises unlikely to be recognized in advance, many are more like the burglar alarm known to be defective,” he said.

Equifax and Capital One did not respond to requests for comment.

Madnick described the corporate mentality as most often “systematic, semi-conscious decision making.” That means management decisions are made without analyzing the cyber risks that are being introduced by the decision. Tying executive compensation to security aims won’t necessarily mean that approach evaporates from a corporate culture, but he said it has symbolic resonance, and from that symbolic register, the practical may indeed follow.

‘An annoyance and a profit center’

For Microsoft, the stakes are higher than for most organizations. Its platforms and systems are so omnipresent — in business and government — that it’s essentially impossible to live without it. “There’s no alternative to Microsoft, from a productivity standpoint. You have to do insane things to try to work without it,” said Ryan Kalember, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint.

Adding to the complexity of Microsoft’s unavoidability, he said, is the layered nature of its platforms, in which succeeding iterations are often buttressed by legacy applications stretching back to the 90s, before security threats remotely resembling what now exists.

The U.S. government has called on the largest, and oldest, tech companies to update systems that both businesses and consumers rely on. Last year, Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a CNBC interview that cybersecurity is consumer safety, and compared it to automotive regulations. “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. 

Legacy platforms are far easier to plug into and build on rather than deploying a new system entirely, but “it’s a security nightmare,” Kalember said. “One MS365 for everybody from the State Department to Joe’s Crab Shack is a fine business model, it just doesn’t lend itself well to traditional security measures.”

The architectural principles built into some of these legacy systems were designed “when ransomware was really a thing that simply didn’t exist – except on floppy disks,” he said. This has led to the company accruing massive amounts of what is called “technical debt” — decades of it — that can be abused by nation-stated and allow foreign intelligence agencies “to steal anything they want,” he added. 

Microsoft is caught between two competing impulses, with security “a combination of an annoyance and a profit center,” Kalember said. It’s a profit center because Microsoft is the world’s largest cybersecurity vendor, reaching $20 billion in annual revenue last year. That makes the compensation move “a good gesture,” he said, but he added, “without specifics behind it, it’s very difficult to assess.” 

No details on how Microsoft pay will be influenced

The lack of details on the compensation formula makes it impossible to properly evaluate the incentive. Many companies that adopted ESG metrics did so only in the bonus portion of executive pay, not the long-term incentive plan, which is much more significant. “That’s putting your money where your mouth is,” Shah said.

A bonus may comprise, on average, 20% of executive pay, and within the bonus pool specifically, non-core financial metrics such as ESG only contribute 20% of a potential total bonus payout. “When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?” Shah said.

Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that’s where these types of non-core financial metrics are low in prevalence. That would be the ideal place within a compensation plan to set pay against long-term cybersecurity and corporate goals, but it is difficult for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy and data breaches that can be measured like sales and profit. “It will be a challenge,” Shah said. “Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure not only the relevance is there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it’s subjective, then it is less meaningful for shareholders.”

Boards of directors already have the discretion to hold executives accountable each year and decide to do downward adjustments on bonuses, based on performance, including data breaches. To date, this type of bonus incentive/punishment has been mostly limited to chief information security officers, according to Mike Doonan, managing director at SPMB, an executive search firm where he specializes in technology. In his view, it’s an imperfect comparison to look at the history of bonus pay tied to metrics such as worker safety, since many hacks occur due to third-party vulnerabilities, which are often beyond the company’s direct control. But Doonan said he could see this type of executive incentive being adopted more broadly, “because it’s good PR to say security is a top priority across the entire executive suite, and it might result in improvements.” But he thinks there is an even better way to shore up corporate defense: “saving the bonus pool and investing those dollars into security programs.”

Continue Reading

Technology

USDC stablecoin issuer Circle files for IPO as public markets open to crypto

Published

on

By

USDC stablecoin issuer Circle files for IPO as public markets open to crypto

Jeremy Allaire, Co-Founder and CEO, Circle 

David A. Grogan | CNBC

Circle, the company behind the USDC stablecoin, has filed for an initial public offering with the U.S. Securities and Exchange Commission.

The S1 lays the groundwork for Circle’s long-anticipated entry into the public markets.

While the filing does not yet disclose the number of shares or a price range, sources told Fortune that Circle plans to move forward with a public filing in late April and is targeting a market debut as early as June.

JPMorgan Chase and Citi are reportedly serving as lead underwriters, and the company is seeking a valuation between $4 billion and $5 billion, according to Fortune.

This marks Circle’s second attempt at going public. A prior SPAC merger with Concord Acquisition Corp collapsed in late 2022 amid regulatory challenges. Since then, Circle has made strategic moves to position itself closer to the heart of global finance — including the announcement last year that it would relocate its headquarters from Boston to One World Trade Center in New York City.

Read more about tech and crypto from CNBC Pro

Circle is best known as the issuer of USDC, the world’s second-largest stablecoin by market capitalization.

Pegged one-to-one to the U.S. dollar and backed by cash and short-term Treasury securities, USDC has roughly $60 billion in circulation.

Circle is best known as the issuer of USDC, the world’s second-largest stablecoin by market capitalization.

Pegged one-to-one to the U.S. dollar and backed by cash and short-term Treasury securities, USDC has roughly $60 billion in circulation. It makes up about 26% of the total market cap for stablecoins, behind Tether‘s 67% dominance. Its market cap has grown 36% this year, however, compared with Tether’s 5% growth.

Coinbase CEO Brian Armstrong said on the company’s most recent earnings call that it has a “stretch goal to make USDC the number 1 stablecoin.” 

The company’s push into public markets reflects a broader moment for the crypto industry, which is navigating renewed political favor under a more crypto-friendly U.S. administration. The stablecoin sector is ramping up as the industry grows increasingly confident that the crypto market will get its first piece of U.S. legislation passed and implemented this year, focusing on stablecoins.

Stablecoins’ growth could have investment implications for crypto exchanges like Robinhood and Coinbase as they integrate more of them into crypto trading and cross-border transfers. Coinbase also has an agreement with Circle to share 50% of the revenue of its USDC stablecoin.

The stablecoin market has grown about 11% so far this year and about 47% in the past year, and has become a “systemically important” part of the crypto market, according to Bernstein. Historically, digital assets in this sector have been used for trading and as collateral in decentralized finance (DeFi), and crypto investors watch them closely for evidence of demand, liquidity and activity in the market.

More recently, however, rhetoric around stablecoins’ ability to help preserve U.S. dollar dominance – by exporting dollar utility internationally and ensuring demand for U.S. government debt, which backs nearly all dollar-denominated stablecoins – has grown louder.

A successful IPO would make Circle one of the most prominent crypto-native firms to list on a U.S. exchange — an important signal for both investors and regulators as digital assets become more entwined with the traditional financial system.

Continue Reading

Technology

Hims & Hers shares rise as company adds new weight-loss medications to platform

Published

on

By

Hims & Hers shares rise as company adds new weight-loss medications to platform

The Hims app arranged on a smartphone in New York on Feb. 12, 2025.

Gabby Jones | Bloomberg | Getty Images

Hims & Hers Health shares closed up 5% on Tuesday after the company announced patients can access Eli Lilly‘s weight loss medication Zepbound and diabetes drug Mounjaro, as well as the generic injection liraglutide, through its platform.

Zepbound, Mounjaro and liraglutide are part of the class of weight loss medications called GLP-1s, which have exploded in popularity in recent years. Hims & Hers launched a weight loss program in late 2023, but its GLP-1 offerings have evolved as the company has contended with a volatile supply and regulatory environment.

Lilly’s weekly injections Zepbound and Mounjaro will cost patients $1,899 a month, according to the Hims & Hers website. The generic liraglutide will cost $299 a month, but it requires a daily injection and can be less effective than other GLP-1 medications.

“As we look ahead, we plan to continue to expand our weight loss offering to deliver an even more holistic, personalized experience,” Dr. Craig Primack, senior vice president of weight loss at Hims & Hers, wrote in a blog post.

A Lilly spokesperson said in a statement that the company has “no affiliation” with Hims & Hers and noted that Zepbound is available at lower costs for people who are insured for the product or for those who buy directly from the company. 

In May, Hims & Hers started prescribing compounded semaglutide, the active ingredient in Novo Nordisk‘s GLP-1 weight loss medications Ozempic and Wegovy. The offering was immensely popular and helped generate more than $225 million in revenue for the company in 2024.

But compounded drugs can traditionally only be mass produced when the branded medications treatments are in shortage. The U.S. Food and Drug Administration announced in February that the shortage of semaglutide injections products had been resolved.

That meant Hims & Hers had to largely stop offering the compounded medications, though some consumers may still be able to access personalized doses if it’s clinically applicable. 

During the company’s quarterly call with investors in February, Hims & Hers said its weight loss offerings will primarily consist of its oral medications and liraglutide. The company said it expects its weight loss offerings to generate at least $725 million in annual revenue, excluding contributions from compounded semaglutide.

But the company is still lobbying for compounded medications. A pop up on Hims & Hers’ website, which was viewed by CNBC, encourages users to “use your voice” and urge Congress and the FDA to preserve access to compounded treatments.

With Tuesday’s rally, Hims and Hers shares are up about 27% in 2025 after soaring 172% last year.

WATCH: Hims & Hers shares tumble over concerns around weight-loss business

Hims & Hers shares tumble over concerns around weight-loss business

Continue Reading

Technology

Meta’s head of AI research announces departure

Published

on

By

Meta's head of AI research announces departure

Meta CEO Mark Zuckerberg holds a smartphone as he makes a keynote speech at the Meta Connect annual event at the company’s headquarters in Menlo Park, California, on Sept. 25, 2024.

Manuel Orbegozo | Reuters

Meta’s head of artificial intelligence research announced Tuesday that she will be leaving the company. 

Joelle Pineau, the company’s vice president of AI research, announced her departure in a LinkedIn post, saying her last day at the social media company will be May 30. 

Her departure comes at a challenging time for Meta. CEO Mark Zuckerberg has made AI a top priority, investing billions of dollars in an effort to become the market leader ahead of rivals like OpenAI and Google.

Zuckerberg has said that it is his goal for Meta to build an AI assistant with more than 1 billion users and artificial general intelligence, which is a term used to describe computers that can think and take actions comparable to humans.

“As the world undergoes significant change, as the race for AI accelerates, and as Meta prepares for its next chapter, it is time to create space for others to pursue the work,” Pineau wrote. “I will be cheering from the sidelines, knowing that you have all the ingredients needed to build the best AI systems in the world, and to responsibly bring them into the lives of billions of people.”

Vice President of AI Research and Head of FAIR at Meta Joelle Pineau attends a technology demonstration at the META research laboratory in Paris on February 7, 2025.

Stephane De Sakutin | AFP | Getty Images

Pineau was one of Meta’s top AI researchers and led the company’s fundamental AI research unit, or FAIR, since 2023. There, she oversaw the company’s cutting-edge computer science-related studies, some of which are eventually incorporated into the company’s core apps. 

She joined the company in 2017 to lead Meta’s Montreal AI research lab. Pineau is also a computer science professor at McGill University, where she is a co-director of its reasoning and learning lab.

Some of the projects Pineau helped oversee include Meta’s open-source Llama family of AI models and other technologies like the PyTorch software for AI developers.

Pineau’s departure announcement comes a few weeks ahead of Meta’s LlamaCon AI conference on April 29. There, the company is expected to detail its latest version of Llama. Meta Chief Product Officer Chris Cox, to whom Pineau reported to, said in March that Llama 4 will help power AI agents, the latest craze in generative AI. The company is also expected to announce a standalone app for its Meta AI chatbot, CNBC reported in February

“We thank Joelle for her leadership of FAIR,” a Meta spokesperson said in a statement. “She’s been an important voice for Open Source and helped push breakthroughs to advance our products and the science behind them.” 

Pineau did not reveal her next role but said she “will be taking some time to observe and to reflect, before jumping into a new adventure.”

WATCH: Meta awaits antitrust fine from EU

Meta awaits antitrust fine from EU

Continue Reading

Trending