- Posted By Filip Talac, CEO of QFI Risk Solutions, Ltd, CEO of QFI Risk Solutions, Ltd
- On 02 Apr, 2025
- Category : Company Blog
In the fast-changing digital environment, cybersecurity is a significant issue for businesses in every sector. The recent ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group (UHG), has highlighted the pressing requirement for strong cybersecurity protocols and accountability at the highest corporate governance levels. This event and the significant SEC case against SolarWinds established a new benchmark in cybersecurity, making the board and Chief Information Security Officer (CISO) responsible for these matters.
The UHG Cybersecurity Breach: A Case Study
On February 21, 2024, UHG announced a ransomware attack on its subsidiary, Change Healthcare. This attack caused widespread service outages that severely affected patients, healthcare providers, and even national security. Patients were unable to collect prescriptions, and some healthcare providers had to close or reduce their hours due to the disruption. Additionally, sensitive health data, including information about military personnel and U.S. government employees, was stolen, posing significant risks to national security.
The root cause of this breach was UHG’s failure to implement industry-standard cybersecurity practices, particularly multi-factor authentication (MFA). Hackers accessed a remote server that lacked MFA, which is an essential yet critical cybersecurity measure. This oversight, compounded by the company’s insufficient planning for ransomware attacks and a lack of robust technology infrastructure, resulted in catastrophic consequences. Some experts in the field estimate that the cost of UHG’s cyberattack will be at least $1 billion.
Comparing UHG to SolarWinds
The UHG breach bears striking similarities to the infamous SolarWinds incident. In 2020, Russian hackers infiltrated SolarWinds’ Orion software, resulting in a massive breach that impacted approximately 18,000 organizations, including several U.S. government agencies and major corporations. The SEC’s subsequent lawsuit against SolarWinds and its CISO, Timothy Brown, marked a significant shift in regulatory enforcement. The SEC not only cited deficiencies in SolarWinds’ internal controls but also accused the company of making fraudulent statements regarding its cybersecurity practices.
SolarWinds asserted compliance with the NIST Framework and robust password policies; however, internal documents uncovered significant gaps. The SEC’s actions underscored the importance of honest and transparent cybersecurity disclosures while establishing a precedent for holding individuals accountable for organizational cybersecurity failures.
The SEC’s New Cybersecurity Disclosure Rules
In response to rising cybersecurity threats, the SEC implemented new cybersecurity disclosure rules on July 26, 2023. These rules, effective September 5, 2023, require registrants to disclose their cybersecurity risk management, strategy, and governance in their annual Form 10-K and Form 20-F reports. They also mandate the reporting of material cybersecurity incidents within four business days on Form 8-K and Form 6-K. The SEC’s emphasis on transparency and accountability aims to provide investors with a clear understanding of a company’s cybersecurity posture. These regulations seek to mitigate the risk of significant financial and reputational damage by requiring detailed disclosures and timely reporting of incidents.
Personal Liability of Upper Management: The New Norm
One of the most significant shifts highlighted by these cases is the increasing trend of holding upper management personally liable for cybersecurity failures. In the SolarWinds case, the SEC named the CISO, Timothy Brown, as a defendant, establishing a precedent for personal liability in cybersecurity breaches. This trend is gaining momentum, as boards and senior executives are held more accountable for their companies’ cybersecurity practices.
The recent letter from a U.S. senator to the chairs of the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) underscores this trend. The senator’s letter urged these agencies to investigate UHG’s negligent cybersecurity practices and hold its senior executives and board of directors responsible for the incident. This call for accountability reinforces the growing expectation that leadership must ensure robust cybersecurity measures are implemented and effectively managed.
Potential Outcomes for UHG
Given the SEC’s aggressive stance in the SolarWinds case, UHG is likely to face similar scrutiny. The SEC may investigate UHG’s cybersecurity failures, focusing on the lack of MFA, inadequate incident response planning, and the appointment of an unqualified CISO. If UHG is found to have made misleading statements about its cybersecurity practices or to have failed to meet regulatory standards, both the company and its senior officials could face significant penalties.
The SolarWinds case also underscored the potential for fraud allegations in cybersecurity incidents. If UHG’s disclosures regarding its cybersecurity measures are false, the company could be liable under Rule 10b-5, which prohibits deceptive practices related to the purchase or sale of securities. This could result in significant legal and financial repercussions, including class-action lawsuits from affected parties.
Are Senior Managers’ Positions in Jeopardy?
The rising trend of holding senior managers personally liable for cybersecurity failures raises an important question: Are senior managers’ positions at risk? The answer is increasingly yes. As regulatory bodies like the SEC and FTC adopt a more aggressive stance on cybersecurity, the personal liability of upper management is becoming standard. Senior executives and board members must be well-informed about their company’s cybersecurity practices and take proactive steps to mitigate risks.
Lessons Learned and Best Practices
The UHG and SolarWinds cases underscore the necessity of holding the board and CISO accountable for cybersecurity. Organizations must ensure their cybersecurity leaders are qualified and that robust, industry-standard defenses are established. Transparency in cybersecurity disclosures is vital for maintaining investor trust and avoiding legal pitfalls.
Implementing comprehensive cybersecurity frameworks, such as ISO 27001, along with best practices like MFA and regular security audits, can significantly enhance an organization’s cybersecurity posture. Additionally, the SEC’s new disclosure rules provide a clear framework for reporting and managing cybersecurity risks, ensuring that companies are better prepared to handle incidents and communicate effectively with stakeholders.
Conclusion
The new norm in cybersecurity demands accountability from the highest levels of corporate governance. The UHG breach and the SEC’s actions against SolarWinds illustrate the severe consequences of failing to implement and disclose robust cybersecurity measures. By holding the board and CISO accountable, organizations can better protect themselves from cyber threats and maintain the trust of investors, customers, and the broader public.
As cybersecurity threats evolve, our approach to managing and mitigating these risks must also adapt. It will be crucial to have qualified leaders at the forefront of cybersecurity efforts and to ensure that transparent and truthful disclosures are made to navigate this complex landscape.