UnitedHealth Hack: Powerful Senator Wants CISO, Board Investigated

CISOs are increasingly cast as the owners of cyber risk; their role should be decision support for board and business.

By Jeff B. Copeland

Sen. Ron Wyden, Chairman of the US Senate Finance Committee wrote a stinging letter to the US Securities and Exchange Commission and Federal Trade Commission asking for an investigation of the 2024 UnitedHealth Group hack, with special scrutiny on the CISO and Board.

“Completely preventable and the direct result of corporate negligence,” Wyden wrote of the disastrous ransomware attack that disrupted medical and pharmacy operations and could run over $3 billion in costs to the company (as estimated by our How Material Is that Hack service).

Wyden charged UnitedHealth with:

1. ”Failure to adopt industry-standard cyber defenses.” The entry point for the intrusion was missing multi-factor authentication on a remote server, but UnitedHealth CEO Andrew Witty also admitted in testimony to Wyden’s committee that the company was lax in enforcing MFA on legacy software.
2. ”The company’s top cybersecurity official appears to be unqualified for the job.” CISO Steven Martin, though an otherwise experienced tech executive, was in his first full-time CISO role, the letter said (and added that hiring him was also a failure of the board). This may have been the first time a senator has called out any CISO by name following a data breach – at least since the Senate investigated Uber CSO Joseph Sullivan’s 2016 payoff to hackers.
3. As for the board, ”none of the members have any meaningful cybersecurity expertise.”

Wyden concluded with a plea to investigate the company’s “numerous cybersecurity and technology failures, to determine if any federal laws under your jurisdiction were broken, and, as appropriate, hold these senior officials accountable.”

In pinging the SEC and FTC, Wyden was dropping the case on two of the most active agencies in US cybersecurity regulation. The FTC has particularly gone after healthcare companies for privacy breaches. The SEC’s new regulations on cyber risk disclosure have forced public companies to be hyper-aware of “materiality”, quantifying when a risk might cross into serious financial impact.

White Paper: Are You Ready to Comply with the SEC Rules on Materiality?

The SEC’s suit against SolarWinds comes closest to the facts of the UnitedHealth cyber incident. The agency used its authority to police internal accounting controls at public companies to charge the IT-management software company with failure to maintain adequate cybersecurity controls. But the SEC complaint also charged the SolarWinds CISO with concealing controls failures with false public statements, charges more in line with the SEC’s usual bailiwick of disclosure violations. No issues have emerged regarding disclosure violations by UnitedHealth.

Let’s Clarify the Role of the CISO

No matter where UnitedHealth’s regulatory fate lands, the trends are clear – CISOs are front and center and in the line of fire for cyber incidents.

Understand the underlying shift taking place: CISOs are being recast as the owners of the risk.

But they do not own the risk; the business owners own the risk.

The role of the CISO is to present the business owners with options for managing their risk based on a solid, quantitative foundation of risk assessment (we base our SAFE One risk management platform on Factor Analysis of Information Risk [FAIR], the recognized open standard for cyber risk quantification).

A CISO should be able to

1. Communicate cyber risk from a business impact perspective
2. Prioritize and execute risk treatment plans based on a data-driven approach
3. Justify cybersecurity investments based on budget levels set by the business.

The CISO’s recommendations to the business should always be informed by the latest data on external threats and the state of the organization’s controls.

But here’s a key distinction: CISOs should strive to be seen as risk leaders, key advisors to business decision-makers, not as technical subject matter experts – and certainly not as curators of a stack of controls.

Learn more: How to Keep Your CEO Out of the Witness Chair: Lessons from the UnitedHealth Hack

CISOs: 5 Steps to Be a Risk Leader in Your Organization (and Avoid a UnitedHealth Moment)

1. Proactively identify your top risks. The SAFE One platform calculates the likelihood and impact of risk scenarios specific to your business.
2. Actively monitor risks for materiality. SAFE One leverages the FAIR-MAM standard for highly accurate data gathering on probable losses from a cyber incident..
3. Prioritize among risks for treatment based on ROI. Run what-if analysis with the platform to determine the most cost-effective controls for risk reduction, with the assistance of FAIR-CAM, the FAIR controls model.
4. Keep it transparent. Report on cyber risk management in terms the business understands and at a pace and speed they expect to be well informed.
5. Protect yourself: Make it clear that cyber risk is enterprise risk and risk management is a whole-of-company responsibility. Clarify well in advance the parameters for materiality and who makes the call to declare an incident material.

Let Safe Security show you how to make the transition to risk leadership – contact us for a demo of the Safe One platform.