How Boards Can Hold Leaders Accountable For Cybersecurity


Boards must be vigilant in demanding that the C-suite elevate cybersecurity, including ensuring they produce an impact analysis and report after major breaches.

Paul Mee, Jim Fields, Nikhil Sarathi, and Mofeed Sawan

5 min read

The full impact of the ransomware attack on Change Healthcare won’t be known for weeks, maybe months. But in the short space of time since the notorious Blackcat ransomware gang disrupted services at the nation’s largest clearinghouse for insurance billing and payments, one thing is abundantly clear: the financial impact has been devastating. Real-time claims data submitted to Kodiak Solutions indicates that delays in processing claims are costing hospitals more than $2 billion a week.

As the fallout continues, the Department of Health and Human Services' Office for Civil Rights launched an in-depth investigation into the cyberattack to determine if a critical breach of protected health information occurred. And while the Centers for Medicare and Medicaid Services authorized flexibilities to ease the pain on providers, lobbying groups have warned of the limitations those policies have to contain a blast radius. The American Hospital Association and American Medical Association are among those urging Congress to take steps that will allow payers to offer even more relief.

We made the case in a previous article that cybersecurity must be elevated to the CEO and Chief Operating Officer. There’s an equal urgency for boards to take a more active role in holding the C-suite accountable. That includes asking leaders very pointed questions and demanding vigilance in safeguarding the organization’s technology infrastructure. Below we lay out steps that boards should take now to minimize the impact of a cyberattack.

Building insight and distilling critical implications

The healthcare sector overall represents a hot target zone for bad actors. And the next wave of cyberattacks will look different and will be deployed in new and more innovative ways. Even if your institution hasn’t yet been compromised, it is essential to understand the vulnerabilities that allowed other breaches to occur and what practical actions can be taken to reinforce defenses and preparedness. To do this, an Incident Impact Analysis and Report needs to be produced to not only inform the board and executive management but to lay out the steps for an action plan. This should be done using reliable sources and information sharing after every major breach in the sector or in your organization’s market. Based on our experience working with a range of clients, such a report should have the following structure:

1. Introduction and context: Collect background information on the incident, the entity — or entities — and operating units or functions impacted, the date and timeline, how it was discovered, what immediate actions were taken, and what the notable consequences were, such as the attacked organizations reportedly paying a $22 million ransom. Conduct a high-level comparison of the breached entity to your enterprise. This will enable readers to appreciate why this matters and the degree to which it might be a significant risk to your organization.

2. Incident description: Provide a detailed description of the incident, including the type of attack — malware, phishing, ransomware, tampering, destruction — the systems or data affected, the methods used by the attackers, how the event and response played out within the impacted entity and for those it interacted with or who were dependent upon that entity.

3. Impact assessment: Produce an assessment covering the impact and consequences for patients, doctors, care workers, nursing, staff, peers, third parties. Also collect reactions from those stakeholders as well as regulators, law enforcement, media, competitors, stock market, and activists. Plus, synthesize information from reliable sources about the extent of data loss or corruption, system downtime, financial losses, reputational damage, and any regulatory ramifications or legal notices or directives, class actions, or leadership/owner liabilities.

4. Response and mitigation: Breakdown the actions taken in response to the incident, including containment and any immediate remediation measures implemented to prevent spread across other systems and institutions; issuance of new workforce guidance and directives such as use of contingent processes, special or emergency communications, comprehensive password resetting; eradication of the threat; recovery of systems and data; data clean-up/re-entry/recapture; integrity and quality tests; and or actions to avoid copycat or comparable incidents.

5. Root cause analysis: Lay out the immediate contributors and the root causes of the incident. These could be patching or versioning gaps, vulnerabilities in systems, poor controls or processes that allowed the attack to occur, human error, insider or malicious intent, third-party/fourth party involvement or dependencies, or other contributing factors.

6. Reflections: Summarize the key lessons learned from the incident, including areas where that organization's response could have been better, and what could have been done to avoid the situation. Include a structured breakdown of the factors that enabled and contributed to the breach with an analysis and narrative regarding the attacked organization’s posture before, during, and after. If not directly compromised, include insight regarding what we avoided and why, with callouts for potential improvement.

7. Conclusion and recommendations: Reiterate key findings, lessons learned, and recommendations — or actions already taken — based observations and analysis of the observed breach.

8. Appendices: List such additional information as technical details, publicly available logs, or incident response information, public statements, supporting information on the cyber defenses of the organization, recent relevant assessment summaries, pen tests, red teaming results, and more.

The case for board action

Given the outsized impact a cyberattack can have on an organization’s operations, finances, and reputation, it is incumbent on boards to have strong cyber resilience awareness and insight which will enable the right posture, practices, and playbooks to be confidently and rapidly deployed. The sector-shaking event we are witnessing only serves to reinforce the need for boards to take a more prominent role. Leading organizations are particularly proactive and agile. Beyond the immediate issues, they will pose core critical questions such as: Will we be safe in the future? Where do we need greater confidence or preparedness? What more should we be doing? Where should the next dollar of investment go for greater cyber resilience?

Then they can drive hard for clear, fact-based answers and action.