The Board’s Role in Cybersecurity

Cyberattacks. They are perhaps the most vexing security threats facing businesses today. To have a computer connected to the outside world is by definition to be vulnerable. Yet an analysis published in The NTT Group’s 2016 Global Threat Intelligence Report[1] reported that only 23 percent of organizations are capable of responding effectively to a cyber incident. The challenges of being prepared are compounded by the sheer volume, sophistication, and shifting nature of the attacks. Threats are constantly evolving. Defenses need to evolve with them.

Hospitals, health insurance companies, law firms, private equity firms, and others with access to sensitive patient, client or personally identifiable information are, unfortunately, inviting targets. TrapX™, a cybersecurity defense firm, reported in its 2016 Year-End Health Care Cyber Breach Report[2] that major cyberattacks on healthcare institutions increased by 63 percent over the prior year. The same report cites 123,869,931 documented cases of patient records being breached over the 2015 to 2016 timespan. Highly regulated industries, such as the financial and business services sectors, witnessed the highest volume of attacks. With the exception of health care, these industries face the highest per capita data breach resolution costs. At $402 per record, the average cost of a healthcare data breach was considerably higher than breaches in the financial services industry, which run on average $264 per compromised record.[3] The proliferation of these attacks is likely to continue.

Financial services companies face a real threat to the confidentiality and trust inherent in the firm-investor relationship. For healthcare organizations, there is an added risk. It has been widely reported that the information contained in a medical record makes it approximately four times more valuable on the black market than a social security number.[4],[5]And while IT security at hospitals primarily focuses on data breaches, the infiltration of IT systems can also cause problems in areas such as planned surgeries, diagnostic procedures, and the operation of medical devices. Consequently, for hospitals, the risks from cyberattacks go beyond the financial and reputational. They can also endanger patients.

The magnitude of the cybersecurity threat clearly makes it a board level issue. Understandably, however, the arcane nature and technical complexity of the subject can cause the eyes of many board members to glaze over the details. It’s important, though, for all board members, regardless of technical background or inclination, to participate in ensuring the right policies and practices are in place and followed.

As cybersecurity specialist Martin Liutermoza, AVP of Information Security Engineering for Nasdaq put it, “Boards need to educate themselves and we need to help educate them on what security actually is and what it means. They need to understand what they are trying to protect.” He added, “That includes having a sense for the access points where hospitals are most vulnerable, such as Electronic Health Record (EHR) systems, web-enabled medical devices, mobile devices, and third-party vendors that connect to the hospital’s network.”

As with other issues, the board’s focus belongs on strategy, policy, and management oversight. The board adage of NIFO – noses in, fingers out – applies. It’s important for boards to ask the right questions and ensure the answers pass the smell test. Implementation, and the technical plans that go with it, are the responsibility of management.

For boards, here are some key areas for exploration:

1. Understand how cybersecurity and, on a broader basis, IT security, fit within the organization’s overall enterprise risk management program.
2. Have management explain where the organization is most vulnerable and what steps are being taken to mitigate those vulnerabilities.
3. Understand the reporting structure, systems, controls, and measures management has in place to protect the organization from major cyber threats.
4. Have management explain the extent to which the organization is using advanced technological tools to identify and stop attacks in real time.
5. Have management ensure adequate staffing, budgeting, and training are in place to prevent and respond to attacks.
6. Review management’s response plan to potential attacks and data breaches.
7. Have an outside IT security expert conduct an audit on an annual basis and present findings to the board.
8. Set a schedule with management for regular updates. Decide whether to have the briefings made to the full board or a committee of the board.

No matter how well an organization is prepared, it cannot fully prevent cyberattacks. What it can do is have the right plans and systems in place to block some attacks and significantly mitigate the effect of others. In the words of Nasdaq’s Martin Liutermoza, “Having the right preparation and crisis recovery plan is going to keep people out of a lot of nightmares.” It’s the board’s responsibility to ensure those plans are in place.

Gordon R. Clark serves as president and CEO of iProtean, the leading provider of e-learning courses for the boards of hospitals and health systems. Prior to iProtean, Gordon was president and CEO of Learner's Digest International, a provider of continuing medical education credits (CME) for physicians and web-based content management for medical and scientific societies. He was previously president and CEO of The Governance Institute, a firm serving the healthcare governance market. Prior to The Governance Institute, he led First American Records Management, a records and information management company headquartered in Silicon Valley. Gordon has served on many boards, including currently as chairman of Scripps Health, a nationally-ranked integrated health system, and as a board member of MD Revolution, a company leveraging digital technology to improve health and wellness. He is a graduate of Cornell University and the Fordham University Graduate School of Business.

INVESTOR RELATIONS I PUBLIC RELATIONS I COMMUNICATIONS I BOARD MANAGEMENT

Nasdaq Corporate Solutions helps organizations manage and master the two-way flow of information with their audiences. Around the globe, market leaders rely upon our unmatched suite of advanced technology, analytics and consultative services to maximize the value of their work—from investor relations and corporate governance to public relations and communications.

Nasdaq Corporate Solutions – MeetX and Directors Desk

Intuitive Board Portal Software for Public, Private, and Non-Profit Boards

Nasdaq Corporate Solutions’ MeetX and Directors Desk can help streamline meeting processes, which, in turn, may accelerate decision-making and strengthen governance. Used by public, private and non-profit organizations worldwide, including over half of the Fortune 500, MeetX and Directors Desk combine functionality with security features, ease-of-use and mobility.

Follow us on Twitter: @MyCorpSolutions

Follow us on LinkedIn:Nasdaq Corporate Solutions

This communication and the content found by following any link herein are being provided to you by Nasdaq Corporate Solutions, a business of Nasdaq, Inc. and certain of its subsidiaries (collectively, “Nasdaq”), for informational purposes only. Nasdaq makes no representation or warranty with respect to this communication or such content and expressly disclaims any implied warranty under law. Nasdaq, the Nasdaq logo, and Nasdaq Corporate Solutions are registered and unregistered trademarks, or service marks, of Nasdaq, Inc. or its subsidiaries in the U.S. and other countries. ©Nasdaq, Inc. 2017. All rights reserved.

Comments or opinions expressed on the blog are those of their respective contributors only. The views expressed on this blog do not necessarily represent the views of Nasdaq, Inc. or any of its affiliates, or its or their management or employees (collectively, “Nasdaq”). Nasdaq is not responsible for, and disclaims any and all liability for the content contributed by contributors to the blog.

The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.