What If The Scathing UnitedHealth Cyber Rebuke Was Yours?
UnitedHealth Group’s cyber breach disrupted hospitals, compromised nearly 150 million patient records, halted medical payments and already cost over $1 billion in remediation. CEO Andrew Witty was whisked to Congress for rare bi-partisan outrage. Yet, the worst may await.
In a prescient warning to all corporate boards and c-suites, Senator Ron Wyden urged Securities and Exchange Commission chair Gary Gensler and Federal Trade Commission head Lina Khan to “investigate UHG’s numerous cybersecurity and technology failures to determine if any federal laws were broken and hold these senior officials accountable.”
That sets precedent. “Wyden doesn’t pull any punches. In previous cases like SolarWinds and Uber, accountability was largely placed on the chief information security officer (CISO),” experienced cross-sector tech executive and cyber governance author Andrew Heighington highlighted.
Notably, Heighington pointed to four key distinguishing elements of Wyden’s rebuke: (1) incident characterization as “entirely preventable and a result of corporate negligence;” (2) direct board and c-suite blame for failure to adhere to industry cyber defense best practices; (3) warranted deeper federal investigation in response to preliminary testimony; and (4) questioning a CISO hire lacking cyber chops.
Those keystones frame governance benchmarks no senior leader can ignore.
Mailing it in
Wyden’s watershed letter opens, “I write to request that your agencies investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices, which caused substantial harm to consumers, investors, the health care industry and U.S. national security. The company, its senior executives and board of directors must be held accountable.” He’s correct and the UHG case is hardly an outlier.
Boards lax on cybersecurity are “setting CEOs up for failure,” Digital Directors Network founder and CEO Bob Zukis wrote. Specifically, Zukis identified four red flags that put a CEO in a “go it alone” cybersecurity position:
1. The board does not have a director with cyber expertise.
2. Director cyber expertise is not disclosed in the proxy statement.
3. Cybersecurity oversight responsibility resides with the audit committee.
4. The audit committee charter makes no (or just a superficial) statement regarding cybersecurity responsibility and oversight scope.
Those are widespread problems and UHG fails on all four dimensions.
UnitedHealth’s board lacks a cyber expert. The newest director is an appointee with political clout — outgoing Massachusetts governor and now-NCAA president Charles Baker. Another director, Kristin Gil, is a finance officer at Alphabet — working at a tech firm does not constitute cyber expertise. Others include insiders, medical professionals and current and former investment and audit firm executives.
“With the cost and expenses of the [UHG] cybersecurity incident approaching $2 billion of wasted capital, a reasonable investor would likely view spending approximately $379,000 (the average 2023 UHG director annual compensation) to add a director with actual cyber expertise as a prudent and high return leadership control,” Zukis cleverly deduced.
Further, a recent analysis of S&P 500 proxy statements by Rob Sloan, Zscaler VP of cybersecurity advocacy and former Wall Street Journal research director, shows that 71% oversee cybersecurity risk via the audit committee. Only 21 companies (4%) have a committee with cyber as it sole (or a primary) purpose. Another 41 firms including Microsoft, JP Morgan Chase and Pepsi assign cyber responsibility to the full board.
As discussed on Forbes, what a proxy statement reveals or conceals tells much about digital era stewardship. UnitedHealth’s 2024 proxy statement mentions the word “cybersecurity,” up from 12 times in 2023, but still as add-on to long, generic lists of duties, including those tucked in the audit committee charge. Clearly, UHG adopted the all-too common approach is a perfunctory, regulatory pencil-whipped approach.
Wyden agrees, concluding, “the audit committee of UHG’s board, which is responsible for overseeing cybersecurity risk to the company, clearly failed to do its job. One likely explanation for this board-level oversight failure is that none of the board members have any meaningful cybersecurity expertise.”
Trial by fire
CISOs are worried. Cyber software firm Proofpoint (of which, intriguingly, UHG board member Gil was once a director) in its 2024 Voice of the CISO, reported that 71% of the 1,600 surveyed cyber executives “feel at risk of experiencing a material cyber attack over the next 12 months [and] 31% rate the risk as very likely.” Proofpoint also found that board members quietly agree as “73% of board members believe they face a risk of a major cyber attack in the next 12 months [and] just over half believe their organization is unprepared to cope with a [breach].”
Under-resourced and often-ignored CISOs can and should reference Wyden’s letter. The senator condemns CISO scapegoating and insists on better hiring oversight for this critical safeguard, writing, “One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job. Steven Martin, UHG’s chief information security officer (CISO), had not worked in a fulltime cybersecurity role before he was elevated to the top cybersecurity position at UHG in June 2023.”
“Although Mr. Martin has decades of experience in technology jobs, cybersecurity is a specialized field, requiring specific expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the largest health care company in the world should not be someone’s first cybersecurity job. Due to his apparent lack of prior experience in cybersecurity, it would be unfair to scapegoat Mr. Martin for UHG’s cybersecurity lapses.” Rather, the senator holds the top culpable.
“Instead, UHG’s CEO and the company’s board of directors should be held responsible for elevating someone without the necessary experience to such an important role in the company, as well as for the company’s failure to adopt basic cyber defenses.”
Any CISO, board or CEO would dread such a preventable undressing.
No more tears
Esoteric risk mapping, simplistic quantification techniques, indefensible expertise gaps, techno-babble and executive double-speak are no match for digital era danger. A healthy dose of fear can drive change far cheaper than a crisis.
Here’s an easy, free start. Take Wyden’s letter and have the board and c-suite replace the UHG company, executive names and data risks with their own. Are the results realistic, far-fetched or perhaps terrifying? UnitedHealth’s negligence aftermath is an unwelcome hypothetical parallel. That’s why executives must appreciate and address the strategic, reputational, legal and tactical consequences of cybersecurity inaction.
“It is essential for boards to continuously incorporate cyber risk management discussions related to the most effective way to reduce the financial and business impact connected with cyber risk. The conversation isn’t just for the CIO and CISO. It’s a broader c-suite discussion, which must be led by the CFO and general counsel,” Chris Hetner, former senior cybersecurity advisor to SEC Chairs White and Clayton and currently Nasdaq Center for Board Excellence Insights Council member and senior cyber risk advisor to the National Association of Corporate Directors (NACD), told the World Economic Forum.
Hetner advocates mirroring risk transfer market methods for more effective cyber defense. For instance, the NACD selected X-Analytics as the preferred boardroom cyber risk reporting solution for their over 23,000 members. X-Analytics is a patented and validated cyber risk decisioning platform that elevates board acumen by tying an enterprise’s cyber risk probability, severity and control effectiveness to business, operational and financial losses.
Hetner explained to Forbes that boards need to prioritize cybersecurity, noting: “The default tendency of executives is to rely on periodic tactical and technical reports to justify solutions that may address security issues. Too often, cybersecurity gets lost in translation when engaging board members and the c-suite. This leaves leadership unsure of precisely what they are funding and where residual gaps remain.”
That’s the overlooked, but manageable, stewardship gap boards must close.
Read the letter
Beyond the UnitedHealth fiasco, Wyden’s landmark letter provokes far-reaching fundamental cyber governance questions. Are other corporate executives willing to read it and introspectively ask could a blistering cyber rebuke someday be theirs?
At the very least, Wyden, boardrooms and c-suites will be wondering if 100 F Street NE or 600 Pennsylvania Avenue NW in Washington, DC reads the mail.
Gensler? Khan? Anyone? Anyone?…