Welcome to the Enabling Board Cyber Risk Oversight™ Blog Series
I am writing to introduce you to a new Blog series I have started entitled Enabling Board Cyber Risk Oversight™. While the posts will be designed to assist C-suite executives and board members in exercising their fiduciary oversight responsibilities over Enterprise Cyber Risk Management (ECRM), anyone interested in improving their cyber risk posture will benefit from reading the blog posts.
Executives and boards today are challenged with a greater and greater number of risks, including climate, geopolitical, supply, chain, economy, and of course, cybersecurity. In executing their oversight over strategy development, risks, and leadership, boards have fundamental duties founded in Federal and State laws, including duty of care.
Duty of care is “a requirement that a person act toward others and the public with the watchfulness, attention, caution, and prudence that a reasonable person in the circumstances would use. If a person’s actions do not meet this standard of care, then the acts are considered negligent, and any damages resulting may be claimed in a lawsuit for negligence.[i] For executives and board members, this means paying increasingly greater attention to their organization’s cyber risk management program.
Enabling Board Cyber Risk Oversight™ is about enabling better cyber oversight. As I discussed in my book, Stop the Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM)[ii], an effective ECRM program closely aligns with duty of care responsibilities.
All organizations in all industries see cyber risk oversight elevated into the boardroom. Among other reasons, the hardened cyber insurance market and increase in attacks have made the failure to have a comprehensive ECRM program an existential threat for most organizations.
Recent cases, including the conviction of former Uber CSO Joe Sullivan[iii] and the whistleblower complaints of the former Twitter head of security Peiter Zatko[iv], illustrate that even the largest and ostensibly most sophisticated organizations can fail hard. Both cases underscore the critical need for board oversight in their own way.
In healthcare, enterprise cyber risk management is more nuanced than in any other industry due to healthcare’s unique regulatory environment (e.g., HIPAA), distinctive ecosystem (millions of organizations and connected devices), and what’s at stake (patients’ lives).
Shortly after publishing my book, I wrote an article with Iliana Peters, former Acting Deputy Director at HHS Office for Civil Rights, entitled “The Legal Liabilities of Enterprise Cyber Risk Management”[v] in which we discussed the increasing possibility of courts holding executives and board members responsible for ECRM failures. Court cases are emerging that connect malware to malpractice and, in one case, negligent homicide. In my blog post about a year ago entitled “Cyber Risk and Patient Safety: A Tragic Call to Arms”[vi], I discussed the pending Springhill Medical Center case alleging that the medical team’s inability to access critical fetal monitoring data, systems, and devices during a 2019 ransomware attack led to a baby’s death.
In Enabling Board Cyber Risk Oversight™, I will be covering cyber risk-related topics from the C-suite’s and board’s perspective with a focus on the oversight role of the board and committees and the leadership responsibilities of executives.
I look forward to creating value for you and your organizations.
ENDNOTES
[i] Hill, Gerald and Kathleen. “Duty of care” definition. The People’s Law Dictionary. Fine Communications. Accessed July 27, 2019. https://dictionary.law.com/Default.aspx?selected=599
[ii] Chaput, Bob. “Stop The Cyber Bleeding: What Healthcare Executives and Board Members Must Know About Enterprise Cyber Risk Management (ECRM).” 2020. Available at https://amzn.to/33qr17n.
[iii] Westby, Jody R. Forbes. “Uber Trial: A Lost Opportunity For Cyber Governance:. October 8, 2022. Available at https://www.forbes.com/sites/jodywestby/2022/10/08/uber-trial-a-lost-opportunity-for-cyber-governance/
[iv] Needleman, Sarah E. WSJ. “Twitter’s Ex-Security Head Files Whistleblower Complaint on Spam, Privacy Issues”. Updated August 23, 2022. Available at https://www.wsj.com/articles/twitters-ex-security-head-files-whistleblower-complaint-11661263009
[v] Chaput, Bob, Peters, Iliana. AHLA Health Law Connection (americanhealthlaw.org) “The Legal Liabilities of Enterprise Cyber Risk Management.”. February 1, 2021. Available at https://www.americanhealthlaw.org/content-library/connections-magazine/article/86d4c53e-37e2-4b44-92a9-7b152eb1775e/The-Legal-Liabilities-of-Enterprise-Risk-Managemen
[vi] Chaput, Bob. “Cyber Risk and Patient Safety: A Tragic Call to Arms.” October 6, 2021. Available at https://clearwatercompliance.com/blog/cyber-risk-and-patient-safety-a-tragic-call-to-arms/