Connect with us

Published

on

Microsoft has come under fire recently from both the U.S. government and rival companies for its failure to stop a Chinese hack of its systems last summer. One change the tech giant is making in response: linking executive compensation more closely to cybersecurity.

In April, a government review board described a hack of Microsoft last summer attributed to China as “preventable.” The U.S. Department of Homeland Security’s Cyber Safety Review Board pointed to “a cascade of errors” and a corporate culture at Microsoft “that deprioritized enterprise security investments and rigorous risk management.”

Competitors have taken advantage of the cyber lapse, with Google publishing a blog post this week highlighting the government findings and noting, “The CSRB report also highlights how many vendors, including Google, are already doing the right thing by engineering approaches that protect against tactics illustrated in the report.” 

CrowdStrike prominently displays the government conclusions on its site.

Nation-state attacks from China and Russia are increasing, and targeting corporations across the economy, as well as the U.S. government and social infrastructure. Microsoft has been a very big target, including hacks by Russia and China. There is growing pressure from the U.S. government for the company to improve its cybersecurity protocols, with its top corporate lawyer, Brad Smith, being called to testify on Capitol Hill.

Microsoft is in damage control mode. After a hack of executive email accounts in January attributed to Russian hackers, the company disclosed the incident in compliance with new federal cybersecurity disclosure rules, even though technically it was not a “material” hack that it was required by law to share, leading to discussion at other firms about where to draw the line on the new disclosure. The decision by Microsoft to link executive compensation to successful cybersecurity performance is another is prompting discussions at other firms. 

Microsoft launched its Secure Future Initiative in November, and earlier this month, the company outlined in a blog post from Charlie Bell, executive vice president of Microsoft Security, that as part of its SFI goals it will “instill accountability by basing part of the compensation of the company’s Senior Leadership Team on our progress in meeting our security plans and milestones.”

A Microsoft spokesperson declined to provide specifics on the compensation, but said as a company which plays a central role in the world’s digital ecosystem, it has a “critical responsibility” to make cybersecurity a top priority. It is part of the company’s “important governance changes [made] to further support a security-first culture,” the spokesperson said. 

Companies often provide more details, though often only limited details, on executive compensation performance targets in annual meeting proxies, which in Microsoft’s case was last held in December 2023.

Cybersecurity as a core corporate risk and bonus metric

It has become more common for corporations to tie a percentage of annual executive bonus payouts to various goals that go beyond meeting sales and profit targets. In recent years, many Fortune 500 companies, including Apple, have added bonus pay tied to ESG metrics. Risk management and safety goals have long been a part of executive compensation, dating back to an era before the rise of ESG — for example, mining and energy companies, as well as manufacturers and industrials, tying bonuses to environmental and worker safety.

The conversations about cybersecurity-linked executive pay have started taking place at other companies since Microsoft made its move, according to Aalap Shah, managing director at executive compensation consultant Pearl Meyer. It’s not prevalent as a compensation practice today, he said, but he added, “post-Microsoft’s announcement, I’ve gotten phone calls asking, ‘Should we do it? Would it work?’ … These conversations are very similar to the ones we were having a few years ago with ESG metrics and a significant percentage of companies adopted them.”

Shah said there is a case to be made that cybersecurity is a core issue that can be equated to mining or industrial safety. But there’s a big difference between a business in cybersecurity and, for example, a retailer, in making this case. And even in industries beyond technology and cybersecurity where keeping data secure is a core issue, such as financial services and health care — which have been targets of high-profile hacks — it’s not a clear case yet to tie executive compensation of the most senior people, such as a chief financial officer or general counsel, to cybersecurity, versus the chief information security officer or chief technology officer, specifically.

Tying pay to hacks is a ‘good place to start’

Some firms will make the case that cybersecurity is already ingrained in their culture and such a move would be redundant, but with the escalation in hacking threats and increased importance of cybersecurity spending to the bottom line of companies like Microsoft, this new executive pay metric may be overdue.

Making executive compensation contingent, to some degree, on meeting cybersecurity aims is a good place to start instilling a security culture at the top of the corporate hierarchy that is fundamental to success, according to experts. 

“The most important message being sent internally and externally is it’s very important to their culture and more and more companies will follow suit, regardless of whether the gain is significant,” Shah said. “What they want to do is make sure it is becoming ingrained culturally, and the path to do that is by linking it to compensation.”

“Cybersecurity has to be in the culture of the organization,” said Stuart Madnick, professor of information technology at MIT. But prioritizing security can be difficult within a corporation, Madnick said, because it often means putting money into places that aren’t clearly reflected on the bottom line. “Corporate culture prioritizes other things over security and risk management,” Madnick said. “How do you know how secure you are? Maybe no one is targeting you at the time. But if you increase sales by 20%, that’s money in the bank.”

Madnick’s research shows that gaps in corporate culture are often culprits in high-profile hacks, not just the Microsoft example. Prevention, he says, is as much about foresight as hindsight. In a recent article, he cited MIT studies on Equifax and Capital One security breaches of recent years as other prominent examples. “While some risks are true surprises unlikely to be recognized in advance, many are more like the burglar alarm known to be defective,” he said.

Equifax and Capital One did not respond to requests for comment.

Madnick described the corporate mentality as most often “systematic, semi-conscious decision making.” That means management decisions are made without analyzing the cyber risks that are being introduced by the decision. Tying executive compensation to security aims won’t necessarily mean that approach evaporates from a corporate culture, but he said it has symbolic resonance, and from that symbolic register, the practical may indeed follow.

‘An annoyance and a profit center’

For Microsoft, the stakes are higher than for most organizations. Its platforms and systems are so omnipresent — in business and government — that it’s essentially impossible to live without it. “There’s no alternative to Microsoft, from a productivity standpoint. You have to do insane things to try to work without it,” said Ryan Kalember, executive vice president of cybersecurity strategy at cybersecurity vendor Proofpoint.

Adding to the complexity of Microsoft’s unavoidability, he said, is the layered nature of its platforms, in which succeeding iterations are often buttressed by legacy applications stretching back to the 90s, before security threats remotely resembling what now exists.

The U.S. government has called on the largest, and oldest, tech companies to update systems that both businesses and consumers rely on. Last year, Cybersecurity and Infrastructure Security Agency director Jen Easterly said in a CNBC interview that cybersecurity is consumer safety, and compared it to automotive regulations. “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. 

Legacy platforms are far easier to plug into and build on rather than deploying a new system entirely, but “it’s a security nightmare,” Kalember said. “One MS365 for everybody from the State Department to Joe’s Crab Shack is a fine business model, it just doesn’t lend itself well to traditional security measures.”

The architectural principles built into some of these legacy systems were designed “when ransomware was really a thing that simply didn’t exist – except on floppy disks,” he said. This has led to the company accruing massive amounts of what is called “technical debt” — decades of it — that can be abused by nation-stated and allow foreign intelligence agencies “to steal anything they want,” he added. 

Microsoft is caught between two competing impulses, with security “a combination of an annoyance and a profit center,” Kalember said. It’s a profit center because Microsoft is the world’s largest cybersecurity vendor, reaching $20 billion in annual revenue last year. That makes the compensation move “a good gesture,” he said, but he added, “without specifics behind it, it’s very difficult to assess.” 

No details on how Microsoft pay will be influenced

The lack of details on the compensation formula makes it impossible to properly evaluate the incentive. Many companies that adopted ESG metrics did so only in the bonus portion of executive pay, not the long-term incentive plan, which is much more significant. “That’s putting your money where your mouth is,” Shah said.

A bonus may comprise, on average, 20% of executive pay, and within the bonus pool specifically, non-core financial metrics such as ESG only contribute 20% of a potential total bonus payout. “When you have 20% of overall [bonus] compensation and divvy it up into a few different metrics, how much are you really tying something like cyber to it?” Shah said.

Long-term incentive plans tied to equity grants, especially in tech, are where the real money is made, and that’s where these types of non-core financial metrics are low in prevalence. That would be the ideal place within a compensation plan to set pay against long-term cybersecurity and corporate goals, but it is difficult for firms to conceive of two-to-three year goals related to cybersecurity, consumer privacy and data breaches that can be measured like sales and profit. “It will be a challenge,” Shah said. “Is it the number of incidents? The caution I have is the same as with ESG: you want to make sure not only the relevance is there, but you also want to make sure there are quantifiable goals. In a rush to adopt, if it’s subjective, then it is less meaningful for shareholders.”

Boards of directors already have the discretion to hold executives accountable each year and decide to do downward adjustments on bonuses, based on performance, including data breaches. To date, this type of bonus incentive/punishment has been mostly limited to chief information security officers, according to Mike Doonan, managing director at SPMB, an executive search firm where he specializes in technology. In his view, it’s an imperfect comparison to look at the history of bonus pay tied to metrics such as worker safety, since many hacks occur due to third-party vulnerabilities, which are often beyond the company’s direct control. But Doonan said he could see this type of executive incentive being adopted more broadly, “because it’s good PR to say security is a top priority across the entire executive suite, and it might result in improvements.” But he thinks there is an even better way to shore up corporate defense: “saving the bonus pool and investing those dollars into security programs.”

Continue Reading

Technology

Elon Musk’s xAI Holdings in talks to raise $20 billion, Bloomberg News reports

Published

on

By

Elon Musk's xAI Holdings in talks to raise  billion, Bloomberg News reports

The X logo appears on a phone, and the xAI logo is displayed on a laptop in Krakow, Poland, on April 1, 2025. (Photo by Klaudia Radecka/NurPhoto via Getty Images)

Nurphoto | Nurphoto | Getty Images

Elon Musk‘s xAI Holdings is in discussions with investors to raise about $20 billion, Bloomberg News reported Friday, citing people familiar with the matter.

The funding would value the company at over $120 billion, according to the report.

Musk was looking to assign “proper value” to xAI, sources told CNBC’s David Faber earlier this month. The remarks were made during a call with xAI investors, sources familiar with the matter told Faber. The Tesla CEO at that time didn’t explicitly mention any upcoming funding round, but the sources suggested xAI was preparing for a substantial capital raise in the near future.

The funding amount could be more than $20 billion as the exact figure had not been decided, the Bloomberg report added.

Artificial intelligence startup xAI didn’t immediately respond to a CNBC request for comment outside of U.S. business hours.

Faber Report: Elon Musk held call with current xAI investors, sources say

The AI firm last month acquired X in an all-stock deal that valued xAI at $80 billion and the social media platform at $33 billion.

“xAI and X’s futures are intertwined. Today, we officially take the step to combine the data, models, compute, distribution and talent,” Musk said on X, announcing the deal. “This combination will unlock immense potential by blending xAI’s advanced AI capability and expertise with X’s massive reach.”

Read the full Bloomberg story here.

— CNBC’s Samantha Subin contributed to this report.

Continue Reading

Technology

Alphabet jumps 3% as search, advertising units show resilient growth

Published

on

By

Alphabet jumps 3% as search, advertising units show resilient growth

Alphabet CEO Sundar Pichai during the Google I/O developers conference in Mountain View, California, on May 10, 2023.

David Paul Morris | Bloomberg | Getty Images

Alphabet‘s stock gained 3% Friday after signaling strong growth in its search and advertising businesses amid a competitive artificial intelligence environment and uncertain macro backdrop.

GOOGL‘s pace of GenAI product roll-out is accelerating with multiple encouraging signals,” wrote Morgan Stanley‘s Brian Nowak. “Macro uncertainty still exists but we remain [overweight] given GOOGL’s still strong relative position and improving pace of GenAI enabled product roll-out.”

The search giant posted earnings of $2.81 per share on $90.23 billion in revenues. That topped the $89.12 billion in sales and $2.01 in EPS expected by LSEG analysts. Revenues grew 12% year-over-year and ahead of the 10% anticipated by Wall Street.

Net income rose 46% to $34.54 billion, or $2.81 per share. That’s up from $23.66 billion, or $1.89 per share, in the year-ago period. Alphabet said the figure included $8 billion in unrealized gains on its nonmarketable equity securities connected to its investment in a private company.

Adjusted earnings, excluding that gain, were $2.27 per share, according to LSEG, and topped analyst expectations.

Read more CNBC tech news

Alphabet shares have pulled back about 16% this year as it battles volatility spurred by mounting trade war fears and worries that President Donald Trump‘s tariffs could crush the global economy. That would make it more difficult for Alphabet to potentially acquire infrastructure for data centers powering AI models as it faces off against competitors such as OpenAI and Anthropic to develop largely language models.

During Thursday’s call with investors, Alphabet suggested that it’s too soon to tally the total impact of tariffs. However, Google’s business chief Philipp Schindler said that ending the de minimis trade exemption in May, which created a loophole benefitting many Chinese e-commerce retailers, could create a “slight headwind” for the company’s ads business, specifically in the Asia-Pacific region. The loophole allows shipments under $800 to come into the U.S. duty-free.

Despite this backdrop, Alphabet showed steady growth in its advertising and search business, reporting $66.89 billion in revenues for its advertising unit. That reflected 8.5% growth from the year-ago period. The company reported $8.93 billion in advertising revenue for its YouTube business, shy of an $8.97 billion estimate from StreetAccount.

Alphabet’s “Search and other” unit rose 9.8% to $50.7 billion, up from $46.16 billion last year. The company said that its AI Overviews tool used in its Google search results page has accumulated 1.5 billion monthly users from a billion in October.

Bank of America analyst Justin Post said that Wall Street is underestimating the upside potential and “monetization ramp” from this tool and cloud demand fueled by AI.

“The strong 1Q search performance, along with constructive comments on Gemini [large language model] performance and [AI Overviews] adoption could help alleviate some investor concerns on AI competition,” Post wrote in a note.

WATCH: Gemini delivering well for Google, says Check Capital’s Chris Ballard

Gemini delivering well for Google, says Check Capital's Chris Ballard

CNBC’s Jennifer Elias contributed to this report.

Continue Reading

Technology

Amazon sellers raise prices after Trump’s China tariff: ‘It’s unsustainable’

Published

on

By

Amazon sellers raise prices after Trump's China tariff: 'It's unsustainable'

An Amazon employee works to fulfill same-day orders during Cyber Monday, one of the company’s busiest days at an Amazon fulfillment center on December 2, 2024 in Orlando, Florida. 

Miguel J. Rodriguez Carrillo | Getty Images

For 10 years, Aaron Cordovez has been selling kitchen appliances on Amazon. Now he’s in a bind, because most of his products are manufactured in China.

Cordovez, co-founder of Zulay Kitchen, said his company is moving “as fast as we can” to move production to India, Mexico and other markets, where tariffs are increasing under President Donald Trump, but are mild compared with the levies imposed on goods from China. That process will likely take at least a year or two to complete, he said.

“We’re making our inventory last as long as we can,” Cordovez said in an email.

Zulay is also temporarily raising the price of some of its milk frothers, smores roasting sticks and other products. The company’s popular kitchen strainer now costs $12.99, up from $9.99 before Trump announced his sweeping tariff proposal earlier this month.

Amazon merchants are hiking prices for everything from diaper bags and refrigerator magnets to charm necklaces and other top-selling items as they confront higher import costs. E-commerce software company SmartScout tracked 930 products on Amazon that have seen increased prices since April 9, with an average jump of 29%.

The price hikes affect a range of categories, including clothing, jewelry, household items, office supplies, electronics and toys.

The trade war with China has threatened to upend sellers on Amazon’s third-party marketplace, which accounts for about 60% of the company’s online sales. Many merchants are based in China or rely on the world’s second-largest economy to source and assemble their products.

Sellers are now faced with the conundrum of raising prices or eating the extra costs associated with Trump’s new tariffs. It’s an existential threat for many sellers, who subsist on razor-thin margins and have, for the last several years, dealt with rising costs on Amazon tied to storage, fulfillment, shipping and advertising fees along with pricing pressure from increased competition.

CEO Andy Jassy told CNBC earlier this month that the company was “going to try and do everything we can” to keep prices low for shoppers, including renegotiating terms with some of its suppliers. But he acknowledged some third-party sellers will “need to pass that cost” of tariffs on to consumers.

Amazon’s stock price is down 15% so far this year, sliding along with the broader market. The company reports first-quarter earnings next week.

Watch CNBC's full interview with Amazon CEO Andy Jassy

Goods imported from China now face import duties of 145%, though Trump said Wednesday his administration is “actively” talking with China about a potential deal to lower tariffs. Chinese officials on Thursday denied that trade talks are taking place.

About 25% of the price increases observed by SmartScout were initiated by sellers based in China, said Scott Needham, the company’s CEO. Last week, stainless steel jewelry maker Ursteel hiked prices on four of its products by $6.50, while apparel brand Chouyatou raised the price of some of its dresses by $2. Both businesses are based in China’s Zhejiang province.

Anker, a Chinese electronics brand and one of Amazon’s largest sellers, has raised prices on one-fifth of its products sold in the U.S., including a portable power bank, which went up to $135 from $110, SmartScout data shows.

Representatives from Anker, Ursteel and Chouyatou didn’t respond to requests for comment.

Zulay, headquartered in Florida, is one of many U.S.-based sellers raising prices. The company is also cutting costs. Cordovez said he’s been forced to lay off 19% of his workforce and slash online ad spending by 85%.

Desert Cactus, based in Illinois, is also taking action. Joe Stefani, the company’s president, has been looking to move production of some of his brand’s college-themed merchandise out of China and into Mexico, India and Vietnam. About half of Desert Cactus’ goods come from China, while the rest are made in the U.S., Stefani said.

An Amazon worker moves a cart filled with packages at an Amazon delivery station in Alpharetta, Georgia, on Nov. 28, 2022.

Justin Sullivan | Getty Images

One of the company’s top products is a customizable license plate frame that’s manufactured in China. At the start of Trump’s first term in 2016, Stefani’s company paid import and shipping fees of 4% on the license plates. That rate has since skyrocketed to 170%, he said.

“The tariffs can’t stay this high,” Stefani said. “There’s so many people that just aren’t going to make it.”

Stefani said he expects Desert Cactus will end up raising prices on some products, though he’s worried shoppers might be put off by sticker shock.

“Will someone be willing to pay $50 for a hat on Amazon?” Stefani said. “You know it’s going to be expensive at the ballpark, but on Amazon we don’t know.”

Dave Dama, co-founder of health and beauty business Pure Daily Care, said the price to manufacture one of his skin-care products in China jumped to $25 from $10. Most Amazon sellers will have no choice but to raise prices, he said.

“If you were selling something for $40 and making a $7 or $8 profit at the end of the day, with these tariffs, those days are gone,” Dama said. “You can’t do that anymore. It’s unsustainable.”

Pure Daily Care plans to stagger price increases over several weeks, and only on products “we absolutely need to,” to keep Amazon’s algorithms from ranking it lower in search results or losing the valuable buy box, he said. The buy box determines which listing pops up first when a shopper clicks on a particular product, and the one that gets purchased when they tap “Add to Cart.”

An Amazon spokesperson said the company’s pricing policies continue to apply.

“As always, sellers set their own prices, and we regularly monitor how we highlight great prices as Featured Offers to provide customers with low prices across a wide selection,” the spokesperson said in a statement.

Dama said his company has enough inventory for some products to last up to six months, which it aims to “stretch as long as possible” in the hope that China and the U.S. can reach a trade deal. The company is also forgoing some sales promotions and discounts, while pausing spend on some display and video ads.

Regarding his inventory, Dama said, “We can try to stretch that seven, eight, nine months, which buys us a lot more time for this thing to work out, hopefully.”

Don’t miss these insights from CNBC PRO

Trump tariffs are raising prices on Amazon and threatening to ruin U.S. sellers who source in China

Continue Reading

Trending