How Corporate Boards Are Setting CEO’s Up For Cybersecurity Failure
On May 1, 2024 the CEO of UnitedHealthGroup (NYSE:UNH) was invited to Washington, D.C. to spend the day getting raked over the coals by U.S. Senator Ron Wyden (D-Oregon) Chairman of the Senate Finance Committee and others at a meeting titled “Hacking America’s Health Care: Assessing the Change Healthcare Cyber Attack and What’s Next.”
Wyden set the tone early when he described the UNH cyber incident this way, “The Change Healthcare hack is considered by many to be the biggest cybersecurity disruption to health care in American history.”
In his opening remarks he clearly expressed his disdain for the UnitedHealth Group (UHG) boardroom as a control in their cybersecurity system when he said,
“Accountability for Change Healthcare’s failure starts at the top. Before this hearing, I asked UHG which members of its board have cybersecurity expertise. UHG pointed to NCAA President Charlie Baker, who signed some technology-related legislation into law years ago when he was governor of Massachusetts. Mr. Baker is certainly an expert on basketball, but UHG needs an actual cybersecurity expert on its board.”
Senator Wyden knows that a jump shot is not a replaceable corporate director skillset for cybersecurity expertise — why didn’t the UnitedHealth Group board? According to Mr. Baker’s background and education as described on his Wikipedia page, he does not have any functional depth in IT or cybersecurity. Senator Wyden is correct in that he is nowhere close to being an expert in any aspect of complex digital business systems, especially cybersecurity.
Would’nt the CEO of UnitedHealth Group have been better served if the board had a director who was a cyber expert on it, long before this incident took place?
Why did the CEO of UNH not demand that the board take the simple step of putting a director with cyber expertise on the board to strengthen the board as a control in the cybersecurity system?
Why hasn’t every board taken the obvious and logical step of putting a director with cyber expertise on the board to fulfill their responsibilities on this issue?
Why do investors not demand this common-sense step and control on corporate boards? Why haven’t regulators?
In recent SolarWinds securities litigation related to their cybersecurity incident from several years ago, Delaware Vice Chancellor Glasscock made the unequivocal statement “…evaluation of business risk, [is] the quintessential board function.”
This is a cybersecurity leadership failure and as Senator Wyden stated, it starts in the boardroom.
Every board in America and around the world is aware of cyber risk. But awareness isn’t action as was pointed out later in the hearing with regard to the cause of this incident. Here’s the exchange that took place between Senator Wyden and CEO Witty around the issue of multi-factor authentication (MFA), a basic cybersecurity login control, which was not universally implemented at UNH:
Senator Wyden: Thank you, Mr. Witty. Let me begin with this. This hack could have been stopped with Cyber Security 101. And I’m talking specifically about multi-factor authentication, MFA. When your bank app asks you to enter a code sent by text or email. That’s MFA. It secures your account even if your password is learned. Yet your testimony reveals this first server that was hacked didn’t have multi-factor authentication. So question one—I’d like a yes or no answer to Mr. Witty—prior to the hack, did you or any of your senior management know that USG was not requiring MFA company wide? Yes or no?
CEO Witty: Mr. Chairman, thank you for the question. Our policy is to have MFA for externally facing systems.
Senator Wyden: So. If the answer is yes. Then that makes my point. That on your watch there was a cybersecurity failure. And then that’s what caused the harm to patients, health care sector and your investors. I don’t believe there are any excuses for that.
Policy doesn’t make practice. Boards have a responsibility to ensure that management has put in place an effective risk management approach, and that the program is functioning effectively. And the board’s responsibility is to both implement an effective system of governance, and then to monitor that system.
Not knowing anything about cybersecurity, as was called out with the UNH board by Senator Wyden, would certainly seem to be an impairment to trying to govern cybersecurity.
Not understanding and monitoring the very basics of cybersecurity falls short of fulfilling the boards basic duty — a failure unlikely to be made if there were a corporate director with cybersecurity expertise on the board. Notwithstanding governing and addressing much more complicated issues related to cybersecurity risk and its far reaching impacts stemming from systemic risk, third-party risk, incident response, changing legal and regulatory requirements, people risk, application security risk, AI and it’s new risks, etc. etc.
Why wouldn’t a CEO want a corporate director with cybersecurity expertise on the board capable of understanding and effectively governing these issues?
Having a director with cybersecurity expertise on a board is a high return, low effort action that materially strengthens the boardroom as a control in the cybersecurity system…and it’s easy to implement and costs are immaterial, especially for an organization like UNH, one of America’s largest companies.
With the cost and expenses of the UNH cybersecurity incident approaching US $2 BN of wasted capital, a reasonable investor would likely view spending approximately $379,000 (the average annual compensation for a UNH director in 2023) to add a corporate director with actual cyber expertise to the board as a prudent and high return leadership control to have in place. As would, or should, any CEO and as would have Senator Wyden.
Why do CEO’s choose to go it alone on cybersecurity then? Which is what they do when their board does not have a director with cyber expertise.
In the infamous words of Warren Buffet, “Risk comes from not knowing what you are doing.” Boards that do not have directors with cyber expertise on the board are negatively impacting the cybersecurity risk management effectiveness of their companies. Lack of boardroom cybersecurity leadership that only comes through expertise is part of the problem, a problem that weakens the entire cybersecurity system.
In another indication of boardroom weakness on this issue at UNH, the board tasks its audit committee (AC) with cybersecurity oversight. This compounds the problem of not having director cyber expertise in the boardroom by marginalizing the issue of cybersecurity to the agenda of the audit committee, the financial experts on the committee, and their primary responsibility on financial reporting.
While the UNH AC charter does dedicate one sentence to their scope of responsibilities on cybersecurity with the statement, “Review and assess the effectiveness of the companies policies, procedures and resource commitment in the areas of cybersecurity and data protection, including key risk areas and mitigation strategies,” this statement feels like little more than window dressing given there is no cyber expertise in the room and their actual failures to oversee the basics of MFA as called out by Senator Wyden.
There are four major warning signs that CEO’s should be aware of in identifying if their board has them in a position to go it alone on cybersecurity:
1. The board does not have a director with cyber expertise on it.
2. Director cyber expertise is not disclosed in SEC Form DEF 14A, their definitive proxy statement.
3. Cybersecurity oversight responsibility resides with the audit committee (AC).
4. The AC charter makes no statement, or a superficial statement regarding scope of cybersecurity responsibility and oversight.
Leadership matters, including in cybersecurity. Boardroom weakness in cybersecurity governance is not setting CEO’s or their companies up for success in how they are blazing a path safely and successfully into the digital future.
Until there are cyber experts on boards, CEO’s will continue to go it alone in cybersecurity.