UnitedHealth Group’s cyber breach disrupted hospitals, compromised nearly 150 million patient records, halted medical payments and already cost over $1 billion in remediation. CEO Andrew Witty was whisked to Congress for rare bi-partisan outrage. Yet, the worst may await.
Notably, Heighington pointed to four key distinguishing elements of Wyden’s rebuke: incident characterization as “entirely preventable and a result of corporate negligence;” direct board and c-suite blame for failure to adhere to industry cyber defense best practices; warranted deeper federal investigation in response to preliminary testimony; and questioning a CISO hire lacking cyber chops.
“With the cost and expenses of the cybersecurity incident approaching $2 billion of wasted capital, a reasonable investor would likely view spending approximately $379,000 to add a director with actual cyber expertise as a prudent and high return leadership control,” Zukis cleverly deduced.research director, shows that 71% oversee cybersecurity risk via the audit committee. Only 21 companies have a committee with cyber as it sole purpose.
Under-resourced and often-ignored CISOs can and should reference Wyden’s letter. The senator condemns CISO scapegoating and insists on better hiring oversight for this critical safeguard, writing, “One likely reason for UHG’s negligence, and the company’s failure to adopt industry-standard cyber defenses, is that the company’s top cybersecurity official appears to be unqualified for the job.