Satya Nadella asked for 50% cut in his incentive payout over security failures
Microsoft agreed, then upped his payout 63%
Comment Filings with the Securities and Exchange Commission show that, at SatNad's request, the Microsoft board agreed to halve his incentive package, but then more than made up for that with the rest of his compensation award.
According to the documents Nadella made the unusual request himself, saying that "his personal commitment to security and his role as the CEO" meant it was justified and would "reflect his personal accountability for the focus and speed required for the changes that today's cybersecurity threat landscape showed were necessary."
Microsoft's 2024 started badly when it was forced to admit in January that the email accounts of several of its more senior staff had been accessed, probably by Russian attackers. Then in April the Department for Homeland Security (DHS) released its report into the Chinese attack on Microsoft-hosted government accounts last year, including the inbox of US Commerce Secretary Gina Raimondo. Microsoft's president Brad Smith was hauled into Congress to apologize for that error.
In May Nadella issued a warning memo to staff that pay at Microsoft would be linked in some cases to "meeting our security plans and milestones."
At least he eats his own dog food... sort of.
"The Board reviewed the Company's performance and firmly believes that Mr Nadella provided exceptional leadership and was both critical in achieving the extremely strong performance of the Company and personally responsible for the ongoing repositioning of its investments and priorities," the SEC documents state.
"It also considered the factors that Mr Nadella raised in requesting a reduction of his cash incentive and concluded that such an adjustment was appropriate. The Board approved a fiscal year 2024 cash incentive of $5.2 million, which represents a more than 50 percent reduction compared to what he would have been awarded."
Nadella has a base salary of $2.5 million. But his remuneration also includes stock awards, the aforementioned incentive payments, and some other compensation. So after this mea culpa move what was he left with? $79,106,183 in total compensation, up 63 percent from last year's $48,512,537. He must be fuming at losing that $5.5 million.
I'm so sick of this
As a security reporter I'm getting more than a little miffed at the complete lack of accountability on companies fudging their responsibilities.
Remember Joe Sullivan, the former CISO at Uber whose response to a case of data theft was to try and buy off the criminals with a $100,000 payout? He received possibly the hardest penalty given to a CISO in that situation after being found guilty of two counts of illegally covering up the intrusion.
In 2022 he was sentenced to three years on probation, fined $50,000, and ordered to do 200 hours community service. While some might argue that his career was finished and he'll be tarnished by the event forever, that's not a plea most non-white collar criminals can try. "I'm sorry I stole that money Judge, but I will just have to live with the shame," is a strategy likely to fail.
- Samsung fined just $8K for exposing chip fab workers to X-ray radiation
- AT&T to shell out $950,000 after quad-state 911 outage
- Infosys CEO to pay a whole $30K in penance for non-disclosure that enabled insider trading
- Microsoft cops $20M slap on the wrist for mishandling kids' Xbox data
Then there's the 2019 Facebook/Cambridge Analytica fine - possibly the biggest in the data security world. The FTC ruled that Facebook was "deceiving users" about its data sharing practices and imposed a $5 billion fine. While that's a huge sum for most players, Facebook made $18.5 billion in profit that year and, after the deal was announced, the resultant stock price bump also helped cover some of the costs.
And it's not just a US problem. Only last month Samsung was ordered to payup after exposing two workers to more than a year's worth of a normal, annual, radiation dose at one of its facilities. The South Korean Nuclear Safety and Security Commission fined the billion-dollar multinational around $8,000 over the incident.
It's time to go European on this
If penalties are going to effectively change behavior then simply cutting staff pay or issuing easily payable fines just isn't going to cut it.
I suggest we take an approach found in the Nordics and some EU legislation that instead sets fines based on a percentage of revenue, not some arbitrary amount. For example, a serious breaking of the GDPR data protection laws would allow the courts to impose a fine of up to 2 percent of a firm's global revenue. It's interesting how fast tech companies are rushing to comply.
Finland and other countries apply this in many other areas, and on individuals based on their disposable income. This led to the infamous 2002 case where a senior Nokia executive was caught speeding on his motorbike (again) and was hit with a €121,000 fine for going 30 kmh (18 mph) over the speed limit. It was later reduced on appeal to around €6,000 as he argued that - having just sold a bunch of shares - his income was wrongly calculated.
I interviewed him a year later on a different topic and it was clear that he was still bitter about it. "If you want to end the interview quickly, ask him about the speeding fine," his PR warned. Clearly the fine had an effect.
Unless something changes in the regulatory system companies are going to carry on writing these slaps on the wrist off as the cost of doing business and they become useless as behavior modifiers. Introduce a penalty with some bite and maybe things will improve. ®