What should the CEO be informed about regarding cybersecurity?
In the rapidly evolving digital landscape, the role of CEOs in cybersecurity has undergone a significant transformation. No longer is cybersecurity a solely technical concern delegated to the IT department. Today, it is a core strategic and governance issue that directly impacts overall business risk and resilience.
The SEC is now holding CEOs accountable for misinformation or false statements related to cybersecurity incidents, as seen with SolarWinds' CISO. This heightened scrutiny is a reflection of the growing importance of cybersecurity in the boardroom.
Small rural hospitals, according to Sen. John Barrasso, already employ multifactor authentication, a testament to the pervasiveness of cybersecurity measures in various sectors. However, the cyberattack on UnitedHealth Group serves as a stark reminder of the potential consequences of inadequate cybersecurity measures.
The cyberattack, which affected an estimated third of Americans, disrupted claims processing, payments to providers, prior authorization requests, and eligibility checks for months. UnitedHealth Group's CEO, Andrew Witty, was called to testify in front of Congress over the cyberattack on UnitedHealth's subsidiary, Change Healthcare.
The attack was attributed to not having multifactor authentication turned on for Change Healthcare. UnitedHealth paid a $22 million ransom in Bitcoin during the cyberattack, an action that did not go over well with Congress.
CEOs are now more engaged in the details during a breach, activating incident response plans, making decisions, communicating with key stakeholders, and keeping the board informed. Ten years ago, CEOs were primarily involved in making high-level decisions during a cybersecurity incident, but now they are tasked with preventing incidents.
CEOs are responsible to shareholders and, in certain cases, to the country, according to Gartner Distinguished VP Analyst Katell Thielemann. They must dig into cybersecurity before a breach and ask deep and searching questions about the coverage and depth of their company's cybersecurity stance.
The responsibility of CEOs regarding cybersecurity has significantly evolved. They must actively engage with cybersecurity risk oversight, aligning cyber readiness with business goals while collaborating closely with CISOs and the board. Failure to adequately manage cyber risk can lead to severe consequences, including reputational damage, financial loss, and potential legal and regulatory liabilities for CEOs themselves.
CEOs can no longer skim over their company's cybersecurity plans. Old excuses are no longer acceptable in the face of cybersecurity risks. Instead, they should oversee the development and implementation of risk mitigation strategies, incident response plans, and disaster recovery plans.
The shift in the role of CEOs in cybersecurity makes it a board- and CEO-level strategic priority rather than a back-office function. The potential consequences of cybersecurity failures for CEOs extend well beyond operational disruption to reputational harm, financial loss, regulatory penalties, and even personal liability in some cases. This shift underscores the need for CEOs to be at the forefront of cybersecurity strategy and risk management.
Sources:
[1] https://www.forbes.com/sites/forbestechcouncil/2021/06/08/ceos-are-no-longer-just-the-face-of-their-companies-theyre-the-face-of-cybersecurity/?sh=7d9c46826a5f
[2] https://www.csoonline.com/article/3560145/ceos-need-to-take-cybersecurity-more-seriously-heres-why.html
[3] https://www.cio.com/article/3552663/why-ceos-need-to-take-cybersecurity-more-seriously-now.html
[4] https://www.ceo.com/articles/why-ceos-need-to-take-cybersecurity-more-seriously-now
[5] https://www.gartner.com/en/newsroom/press-releases/2021-06-08-gartner-survey-shows-board-and-ceo-involvement-in-cybersecurity-risk-oversight-is-increasing
- The increasing significance of cybersecurity in the boardroom has led regulatory bodies like the SEC to hold CEOs accountable for any misinformation or false statements concerning cybersecurity incidents.
- Small rural hospitals have adopted multifactor authentication, demonstrating the spread of cybersecurity measures throughout various business sectors; however, a cyberattack on UnitedHealth Group serves as a grim reminder of the repercussions of inadequate cybersecurity safeguards.
- The cyberattack on UnitedHealth Group disrupted several key operations for months, necessitating the testimony of the company's CEO, Andrew Witty, before Congress regarding the cyberattack on Change Healthcare, a UnitedHealth subsidiary.
- To prevent incidents, CEOs today are more deeply involved during a data breach, taking on roles beyond high-level decision-making, including activating incident response plans, making decisions, and communicating with stakeholders.
- Given the direct impact of cybersecurity on business risk and resilience, CEOs now play a pivotal role in managing cyber risks, including overseeing the development and implementation of risk mitigation strategies, incident response plans, and disaster recovery plans.
