UnitedHealth Group’s cyber breach has wreaked havoc on hospitals, exposed some 150 million patient records, halted medical payments, and already cost the company more than $1 billion in remediation costs — and drawn rare bipartisan outrage as CEO Andrew Whitty was summoned before Congress. But the worst may be yet to come.
In a prescient warning to all corporate boards and C-suite executives, Senator Ron Wyden called on Securities and Exchange Commission Chairman Gary Gensler and Federal Trade Commission Chairman Lina Khan to “investigate UHG’s numerous cybersecurity and technology failures to determine whether it violated federal law and hold these senior executives accountable.”
This sets a precedent: “Wyden is relentless. In past cases like SolarWinds and Uber, the responsibility was placed primarily on the CISO,” emphasized Andrew Haginton, a veteran multidisciplinary tech executive and author of Cyber Governance.
Notably, Higginton pointed to four key features of Wyden’s reprimand: (1) he characterized the incident as “entirely preventable and the result of corporate negligence,” (2) he held the board and executives directly accountable for failing to adhere to industry cyber defense best practices, (3) he justified a more thorough federal investigation in response to preliminary testimony, and (4) he questioned the hiring of a CISO who lacked cyber capabilities.
These keystones form governance benchmarks that senior leaders cannot afford to ignore.
Wyden’s landmark letter begins with the sentence, “I am writing to urge your agency to investigate UnitedHealth Group’s (UHG) negligent cybersecurity practices that have caused significant harm to consumers, investors, the healthcare industry, and the national security of the United States. The company, its senior executives, and its board of directors must be held accountable.” As Wyden says, UHG’s case is by no means an anomaly.
Boards that are negligent on cybersecurity “are setting up CEOs to fail,” writes Bob Zukis, founder and CEO of the Digital Directors Network. Specifically, Zukis identified four red flags that could lead a CEO to take on cybersecurity “on their own.”
1. The board does not have any directors with cyber expertise.
2. The directors’ cyber expertise was not disclosed in the proxy statement.
3. Responsibility for overseeing cybersecurity lies with the Audit Committee.
4. The audit committee charter is silent or only superficially detailed regarding the scope of cybersecurity responsibilities and oversight.
These are widespread issues and UHG has failed on all four fronts.
UnitedHealth’s board of directors has no cyber expertise. The newest director is a political appointee, former Massachusetts governor and current NCAA president Charles Baker. Another director, Christine Gill, is Alphabet’s financial officer, and working for a tech company does not necessarily give her cyber expertise. Other directors include company insiders, medical experts, and current and former executives from investment and auditing firms.
“Costs and expenses [UHG] “When cybersecurity incidents have wiped out nearly $2 billion in capital, rational investors would likely view spending approximately $379,000 (the average annual compensation of UHG directors in 2023) to add a director with actual cyber expertise as prudent and profitable leadership management,” Zukis deftly reasoned.
Additionally, a recent analysis of the S&P 500 proxy by Rob Sloan, vice president of cybersecurity initiatives at Zscaler and former Zscaler employee, noted: The Wall Street Journal According to the Research Directors survey, 71% of companies oversee cybersecurity risks through their audit committee. Only 21 companies (4%) have a committee whose sole (or primary) purpose is cyber. Another 41 companies, including Microsoft, JPMorgan Chase and Pepsi, assign cyber responsibility to the entire board of directors.
As discussed ForbesWhat proxy statements reveal, or hide, says a lot about managing in the digital age. UnitedHealth’s 2024 proxy statement includes the term “cybersecurity” up from 12 in 2023, but it merely adds to a long and general list of obligations, including those included in the audit committee’s duties. Clearly, UHG has taken an all-too-general approach: a red tape, regulation-bound approach.
Wyden agreed, concluding that “the audit committee of UHG’s board of directors is responsible for overseeing the company’s cybersecurity risks but has clearly failed in its job. One likely explanation for the lack of board-level oversight is that no board member had any meaningful expertise in cybersecurity.”
Trial by Fire
CISOs are worried. Cyber software company Proofpoint (interestingly, UHG director Gil once served on its board) reported in its 2024 Voice of the CISO that 71% of 1,600 cyber executives surveyed “perceived risk of a significant cyber attack in the next 12 months.” [and] 31% rate the risk as very high.” And Proofpoint found that board members quietly agree: “73% of board members believe their company faces a risk of a major cyber attack within the next 12 months. [and] More than half believe their organization is not prepared. [breach]. “
Under-resourced and often ignored CISOs can and should turn to Wyden’s letter. Wyden denounces the scapegoating of CISOs and argues for increased oversight of the adoption of this critical safeguard, writing, “One reason for UHG’s negligence and failure to implement industry-standard cyber defenses is the company’s chief cybersecurity officer’s apparent unqualification for the job. UHG’s Chief Information Security Officer (CISO), Steven Martin, had never held a full-time cybersecurity role prior to his promotion to UHG’s Chief Cybersecurity Officer in June 2023.”
“While Martin has decades of experience working in technology, cybersecurity is a speciality that requires special expertise. Just as a heart surgeon should not be hired to perform brain surgery, the head of cybersecurity for the world’s largest healthcare company should not be doing cybersecurity for the first time. Given Martin’s clear lack of cybersecurity experience, it would be unfair to hold him responsible for UHG’s cybersecurity failings.” Instead, the senator believes the responsibility lies at the top.
“Rather, UHG’s CEO and board should be held accountable for promoting individuals without the necessary experience to key roles within the company and for failing to implement basic cyber defenses.”
This is something that CISOs, boards of directors, and CEOs all fear. Preventable Undress.
No more tears
Arcane risk mapping, simplistic quantification methods, inexcusable expertise gaps, technical jargon and executive duplicity are no match for the dangers of the digital age. The right amount of fear can bring about change much more cheaply than a crisis.
It’s easy and free to get started. Ask your board and management to use Wyden’s letter as a guide and substitute UHG’s company, executive names, and data risks with their own. Are the outcomes real, unrealistic, or frightening? The consequences of UnitedHealth’s negligence are an unwelcome hypothetical parallel. That’s why management must understand and address the strategic, reputational, legal, and tactical implications of cybersecurity inaction.
“It is essential that boards continue to embrace the cyber risk management discussion about how to most effectively mitigate the financial and business impacts associated with cyber risk. This discussion is not just about the CIO and CISO. It is a broader C-suite-level discussion led by the CFO and general counsel,” Chris Hetner, former senior cybersecurity advisor to SEC Chairs White and Clayton, now a member of the Nasdaq Center for Board Excellence Insights Council and senior cyber risk advisor to the National Association of Corporate Directors (NACD), told the World Economic Forum.
Hetner advocates for mimicking the risk transfer market’s techniques for more effective cyber defense. For example, the NACD selected X-Analytics as the recommended boardroom cyber risk reporting solution for its more than 23,000 members. X-Analytics is a patented and validated cyber risk decisioning platform that provides greater board insight by linking a company’s cyber risk likelihood, severity and control effectiveness to business, operational and financial losses.
Hetner explained. Forbes Noting that boards need to prioritize cybersecurity, it said: “Management tends to rely on periodic tactical and technical reports to justify solutions that address security issues. Cybersecurity is often poorly communicated when engaging with board members and C-suite executives. This leaves management with no clear understanding of exactly what they are funding and where the gaps remain.”
This is an often overlooked, but manageable, management gap that boards must fill.
Read the letter
Beyond the UnitedHealth debacle, Wyden’s landmark letter raises far-reaching questions about fundamental issues of cyber governance: Will other corporate executives read this letter and ask themselves introspectively whether they, too, might one day be on the receiving end of a scathing cyberattack?
At the very least, Wyden, his boardroom and management will be wondering whether 100 F Street NE and 600 Pennsylvania Avenue NW in Washington, DC, are reading their mail.
Gensler? Khan? Someone? Someone? …