Earlier this year, UnitedHealth Group CEO Andrew Witty testified in front of Congress over a February cyberattack on its subsidiary Change Healthcare that affected an estimated third of Americans, and disrupted claims processing, payments to providers, prior authorization requests and eligibility checks for months.
The incident was notable because while cybersecurity breaches have become common, a CEO answering security questions at the highest levels of government is not.
But that’s changing, because the risk of such a breach has changed — especially when personal and health information is compromised, as happened with UnitedHealth.
“Cyber risk has far outstripped the traditional risk in terms of impact,” said Kevin Dunn, the former SVP and head of professional services at NCC Group who now serves as a senior manager for ProServe Security at AWS.
CEOs can no longer skim over their company cybersecurity plans. When big incidents occur, they risk firing, forced resignation, shareholder lawsuits, or even charges from the Securities and Exchange Commission.
A decades-long perception shift of who is responsible for risk
The role of the CEO hasn’t exactly changed when it comes to cybersecurity, but the CEO’s perception of risk and level of engagement has, said Trevor Horwitz, CISO and founder of Trustnet.
Ten years ago, cybersecurity was seen as an IT and compliance issue, Horwitz said. “If there was a breach, the impact wasn’t seen as significant, and the CEO’s role was primarily to make high-level decisions during the incident.”
The difference now is the potential threat to business operations and reputations, he said. “CEOs are tasked with integrating cybersecurity into the overall business strategy and aligning cybersecurity with business goals.”
Old excuses aren’t going to cut it anymore either, Dunn added.
In the case of UnitedHealth, Witty attributed the hack to acquiring a company, Change Healthcare, and that they hadn’t yet brought their security up to snuff. It wasn’t a sophisticated hack that breached the company either: Change Healthcare did not have multifactor authentication turned on, Witty testified.
His responses, including confirmation the company paid a $22 million ransom in Bitcoin, did not go over well with Congress.
“This hack could have been stopped with cybersecurity 101,” Sen. Ron Wyden, D-Ore., said during a hearing in the Senate Committee on Finance. Sen. John Barrasso, R-Wyo., pointed out that even a small rural hospital in his home state has multifactor authentication.
Beyond it being an embarrassing few days for Witty, such breaches could have potential ramifications beyond Congress compelling company officials to testify.
CEOs are also beholden to the SEC, said Gartner Distinguished VP Analyst Katell Thielemann, meaning they are responsible to shareholders or, in the case that the company they oversee is part of critical infrastructure, the country.
“The government is telling me ‘I’m sorry’ is not good enough,” Thielemann said. “The national security and economic prosperity implications of critical infrastructure going down is not something we’re willing to take anymore.”
What CEOs need to know
There are also potential legal ramifications to high-profile security incidents, according to Thielemann, through shareholder lawsuits or charges from the SEC, as happened to SolarWinds’ CISO after their massive breach.
In the SolarWinds case, “they’re not going after the CEO, but they’re signaling that if they find that there was some misinformation or some outright false statements to investors, that they will go after the CEO,” she said. “If they can go after a CISO for those things, they’ll do the same for the CEO.”
CEOs don’t necessarily have to become experts in the technical aspects of cybersecurity in order to be prepared in case of an attack or — hopefully — stop one before it starts.
As such, CEOs should be playing a role in cybersecurity strategy overall, said Horwitz, which includes overseeing the development and implementation of risk mitigation strategies, incident response plans and disaster recovery plans.
“When there is a breach, CEOs are now much more engaged in the details, activating incident [response] plans, making decisions, communication with key stakeholders and keeping the board informed,” he said.
That means digging into cybersecurity before there’s a breach.
“I wouldn’t be letting my team off the hook with vague assurances” that the company is safe, said Dunn. Instead, CEOs should be “asking deep and searching questions, not about the technical aspects of it but the coverage and depth and how confident we feel” in the company’s cybersecurity stance.