Gone are the days when cybersecurity was an IT or compliance issue. The buck stops with the CEO. When the proverbial rubbish hits the fan, the risk of shareholder lawsuits, regulatory charges or even job loss becomes real.
According to Cybersecuritydive.com, US-based UnitedHealth CEO Andrew Witty testified earlier this year before the Senate Finance Committee in Washington, DC, regarding a cyberattack on its subsidiary Change Healthcare.
Although cybersecurity breaches are becoming more common, what made the incident notable was that the CEO had to answer to the highest levels of government.
“Cyber risk has far outstripped the traditional risk in terms of impact,” said Kevin Dunn, senior manager for ProServe Security at AWS.
There is a shift of who is responsible for risk
The role of the CEO hasn’t exactly changed when it comes to cybersecurity, but the CEO’s perception of risk and level of engagement has, said Trevor Horwitz, CISO and founder of Trustnet.
Ten years ago, cybersecurity was seen as an IT and compliance issue, Horwitz said. “If there was a breach, the impact wasn’t seen as significant, and the CEO’s role was primarily to make high-level decisions during the incident.”
The potential threat to business operations and reputations is what has changed, and CEOs are tasked with integrating cybersecurity into the overall business strategy and aligning it with business goals,” he added.
In UnitedHealth’s case, Witty attributed the hack to security not being brought up to standard after it acquired the company, Change Healthcare. The preventable hack wasn’t sophisticated either – they did not have multifactor authentication turned on. It resulted in a $22 million ransom in Bitcoin (that the company paid).
What CEOs need to know
There are potential legal ramifications to high-profile security incidents. CEOs don’t necessarily have to become cybersecurity experts to be prepared for an attack. They should play an active role in the overall cybersecurity strategy and should be engaged in response and communications if an attack occurs.
“I wouldn’t be letting my team off the hook with vague assurances” that the company is safe, said Dunn. Instead, CEOs should be “asking deep and searching questions, not about the technical aspects of it but the coverage and depth and how confident we feel” in the company’s cybersecurity stance.
Also read: Beware of work from home scams | Executive PA Media
