On May 1, 2024, the CEO of UnitedHealth Group (NYSE:UNH) was invited to Washington, DC, where he spent a day being grilled by Senator Ron Wyden (D-Ore.), a member of the Senate Finance Committee, and others at a conference titled “Hacking American Healthcare: Assessing Changing and Future Trends in Healthcare Cyberattacks.”
Wyden set the tone early on about the UNH cyber incident, saying, “The Change Healthcare hack is considered by many to be the largest cybersecurity disruption to health care in American history.”
In his opening remarks, he made clear his disdain for the way the UnitedHealth Group (UHG) boardroom handled its cybersecurity systems, saying:
“Accountability for Change Healthcare failure starts at the top. Prior to this hearing, I asked UHG which of its board members have cybersecurity expertise. UHG pointed to NCAA president Charlie Baker, who signed technology-related legislation while he was governor of Massachusetts. Baker is certainly a basketball expert, but But UHG needs actual cybersecurity experts on its board.. “
Senator Wyden knows that surprise appointments cannot replace the skill set of a corporate director with cybersecurity expertise. Why didn't UnitedHealth Group's directors do so? Baker's career and educational background on his Wikipedia page show that he has no working knowledge in the fields of IT or cybersecurity. Senator Wyden is right that he is far from an expert in all aspects of complex digital business systems, especially cybersecurity.
Perhaps the CEO of UnitedHealth Group would have been better served if he had had a director with cyber expertise on his board long before this incident occurred.
Why didn’t UNH’s CEO ask the board to take the simple step of appointing a director with cyber expertise to the board to strengthen the board as the governing body for the cybersecurity system?
Why don’t all boards take the obvious and logical step of having a director with cyber expertise on their board to help account for this issue?
Why don't investors demand these common sense measures and controls from company boards? Why don't regulators?
In the recent SolarWinds securities litigation, which was related to a cybersecurity incident several years ago, Delaware Deputy Attorney General Glasscock stated, “…assessing business risks; [is] That is truly the essential function of the board of directors.”
This is a failure of cybersecurity leadership, and as Senator Wyden said, it starts in the boardroom.
Every board in America and around the world is aware of cyber risks. But as was later pointed out during the hearing on the causes of this incident, awareness alone does not translate into action. Below is an exchange between Senator Wyden and CEO Whitty on the issue of multi-factor authentication (MFA), a fundamental cybersecurity login control, which was not universally implemented at UNH.
Senator Wyden: Thank you, Whitty. First, this hack could have been stopped with Cybersecurity 101. Specifically, we're talking about multi-factor authentication, MFA. Your banking app prompts you to enter a code that's sent to you by text message or email. That's MFA. It protects your account even if someone knows your password. But based on your testimony, it appears the first server that was hacked didn't have multi-factor authentication. So, question number one. Whitty, yes or no? Prior to the hack, were you or anyone in senior management aware that USG didn't require MFA company-wide? Yes or no?
CEO Whitty: Thank you for your question, Mr. Chairman. Our policy is to have MFA in place for our external facing systems.
Senator Wyden: So if the answer is yes, then I am correct: there were cybersecurity failures on your watch that have harmed patients, the healthcare sector, and investors. I believe there is no excuse for that.
Policy is not practice. The board is responsible for ensuring that management has an effective risk management approach in place and that the program is working effectively. It is also the board's responsibility to implement an effective governance system and to oversee that system.
As Senator Wyden pointed out to the University of New Hampshire Board of Trustees, not knowing anything about cybersecurity certainly seems like an obstacle to trying to manage it.
A failure to understand and oversee the basics of cybersecurity is clearly insufficient to fulfill a board's basic obligations. Such a failure would be less likely if the board had directors with cybersecurity expertise, not to mention improving the board's ability to manage the more complex issues related to cybersecurity risk and its far-reaching implications arising from systemic risk, third-party risk, incident response, changing legal and regulatory requirements, people risk, application security risk, AI and its new risks, etc.
Why would a CEO not want to have a director on his or her board with cybersecurity expertise who can understand and effectively manage fundamental and other highly complex issues?
Having a director with cybersecurity expertise on the board is a high-return, low-effort action that will significantly strengthen the board as a steward in the cybersecurity system, and is easy to implement at little cost, especially for an organization like UNH, one of the largest companies in the United States.
With the costs and expenses of UNH’s cybersecurity incident approaching a $2 billion drain on capital, a rational investor would likely consider spending approximately $379,000 (the average annual salary of a UNH director in 2023) to add a corporate director with actual cyber expertise to the board to be a prudent and profitable leadership management move, as any CEO would and should consider Senator Wyden.
So why do CEOs choose to solve cybersecurity on their own? They do so when there are no directors on their board with cyber expertise.
Warren Buffett famously said, “Risk comes from not knowing what you're doing.” Boards that lack directors with cyber expertise negatively impact the effectiveness of a company's cybersecurity risk management. A lack of cybersecurity leadership on the board, which manifests as a lack of expertise and understanding, is a problem that weakens the entire cybersecurity system.
Another sign of UNH’s board’s weakness on this issue is that the board has delegated cybersecurity oversight to the audit committee (AC), which further exacerbates the problem of the board not having a director cyber expert and displaces cybersecurity issues onto the audit committee’s agenda, the committee’s financial expert, and the audit committee’s primary responsibility and focus on financial reporting for the AC.
While the UNH AC charter does dedicate a sentence to the scope of its cybersecurity responsibilities: “Review and evaluate the effectiveness of the enterprise’s policies, procedures, and resource commitments in the areas of cybersecurity and data protection, including key risk areas and mitigation strategies,” this statement feels like a window dressing given the reality that there are no cyber experts in the room and, as Senator Wyden pointed out, a lack of oversight over the fundamentals of MFA.
There are four main warning signs that CEOs should look out for when determining whether their board is in a position to go it alone on cybersecurity.
1. The board does not have directors with cyber expertise.
2. The directors’ cyber expertise is not listed in the company’s official SEC proxy statement, Form DEF 14A.
3. Responsibility for oversight of cybersecurity rests with the Audit Committee (AC).
4. The AC Charter is silent or only superficially specific about the scope of cybersecurity responsibility and oversight.
Leadership matters, especially in cybersecurity: Weak boards of directors in cybersecurity governance will leave CEOs and their companies ill-equipped to safely and successfully navigate the digital future.
Until the board has cyber experts on board, CEOs will likely continue to be on their own when it comes to cybersecurity, which could keep DCs busy.