« Posts

The Board’s Role in Cybersecurity

(Originally published in Nasdaq’s MarketInsite, March 30, 2017, and written by Gordon Clark, President and CEO of iProtean, now part of Veralon)


Cyberattacks. They are perhaps the most vexing security threats facing businesses today. To have a computer connected to the outside world is by definition to be vulnerable. Yet an analysis published in The NTT Group’s 2016 Global Threat Intelligence Report reported that only 23 percent of organizations are capable of responding effectively to a cyber incident. The challenges of being prepared are compounded by the sheer volume, sophistication, and shifting nature of the attacks. Threats are constantly evolving. Defenses need to evolve with them.


Hospitals, health insurance companies, law firms, private equity firms, and others with access to sensitive patient, client or personally identifiable information are, unfortunately, inviting targets. TrapX™, a cybersecurity defense firm, reported in its 2016 Year-End Health Care Cyber Breach Report that major cyberattacks on healthcare institutions increased by 63 percent over the prior year. The same report cites 123,869,931 documented cases of patient records being breached over the 2015 to 2016 timespan. Highly regulated industries, such as the financial and business services sectors, witnessed the highest volume of attacks. With the exception of health care, these industries face the highest per capita data breach resolution costs. At $402 per record, the average cost of a healthcare data breach was considerably higher than breaches in the financial services industry, which run on average $264 per compromised record. The proliferation of these attacks is likely to continue.


Financial services companies face a real threat to the confidentiality and trust inherent in the firm-investor relationship. For healthcare organizations, there is an added risk. It has been widely reported that the information contained in a medical record makes it approximately four times more valuable on the black market than a social security number. And while IT security at hospitals primarily focuses on data breaches, the infiltration of IT systems can also cause problems in areas such as planned surgeries, diagnostic procedures, and the operation of medical devices. Consequently, for hospitals, the risks from cyberattacks go beyond the financial and reputational. They can also endanger patients.


The magnitude of the cybersecurity threat clearly makes it a board level issue. Understandably, however, the arcane nature and technical complexity of the subject can cause the eyes of many board members to glaze over the details. It’s important, though, for all board members, regardless of technical background or inclination, to participate in ensuring the right policies and practices are in place and followed.


As cybersecurity specialist Martin Liutermoza, AVP of Information Security Engineering for Nasdaq put it, “Boards need to educate themselves and we need to help educate them on what security actually is and what it means. They need to understand what they are trying to protect.” He added, “That includes having a sense for the access points where hospitals are most vulnerable, such as Electronic Health Record (EHR) systems, web-enabled medical devices, mobile devices, and third-party vendors that connect to the hospital’s network.”


As with other issues, the board’s focus belongs on strategy, policy, and management oversight. The board adage of NIFO – noses in, fingers out – applies. It’s important for boards to ask the right questions and ensure the answers pass the smell test. Implementation, and the technical plans that go with it, are the responsibility of management.


For boards, here are some key areas for exploration:


  1. Understand how cybersecurity and, on a broader basis, IT security, fit within the organization’s overall enterprise risk management program.
  2. Have management explain where the organization is most vulnerable and what steps are being taken to mitigate those vulnerabilities.
  3. Understand the reporting structure, systems, controls, and measures management has in place to protect the organization from major cyber threats.
  4. Have management explain the extent to which the organization is using advanced technological tools to identify and stop attacks in real time.
  5. Have management ensure adequate staffing, budgeting, and training are in place to prevent and respond to attacks.
  6. Review management’s response plan to potential attacks and data breaches.
  7. Have an outside IT security expert conduct an audit on an annual basis and present findings to the board.
  8. Set a schedule with management for regular updates. Decide whether to have the briefings made to the full board or a committee of the board.


No matter how well an organization is prepared, it cannot fully prevent cyberattacks. What it can do is have the right plans and systems in place to block some attacks and significantly mitigate the effect of others. In the words of Nasdaq’s Martin Liutermoza, “Having the right preparation and crisis recovery plan is going to keep people out of a lot of nightmares.” It’s the board’s responsibility to ensure those plans are in place.

Nasdaq’s Board and Leadership Solutions have a unique collaboration with iProtean, now part of Veralon, an e-learning company that provides online governance education and information to hospital directors. Bringing over 50 years of combined experience in healthcare governance information and education, the iProtean, now part of Veralon leadership team understands the specific needs of hospital and health system board members. The company is committed to helping directors make a meaningful difference in their communities.



Nasdaq Corporate Solutions helps organizations manage and master the two-way flow of information with their audiences. Around the globe, market leaders rely upon our unmatched suite of advanced technology, analytics and consultative services to maximize the value of their work—from investor relations and corporate governance to public relations and communications.




iProtean, now part of Veralon subscribers, the advanced Mission & Strategy course, When the Dust Settles, featuring Marian Jennings and Dan Grauman, is in your library. Marian and Dan discuss the complexities of moving to a value-based healthcare organization, key features necessary to ensure the board and leadership stay ahead of the curve, the importance of thoughtful and thorough assessment of options available to the organization, the risks inherent in new investments and changes in board recruitment and development.


Coming soon: the advanced Finance Course, Financial Risks & Strategic Implications of APMs, featuring Marian Jennings and Seth Edwards.



For a complete list of iProtean, now part of Veralon courses, click here.



For more information about iProtean, now part of Veralon, click here.