[BreachExchange] Cybersecurity questions healthcare company boards should be asking

[Audrey McNeil]

http://www.healthcarebusinesstech.com/cybersecurity-questions-
healthcare-company-boards-should-be-asking/

Not a day goes by that headlines don’t have a story regarding the latest
cyber breach, and the consequences experienced by customers and investors
of the impacted company. Clearly these incidents highlight the importance
of cybersecurity efforts not only by company management, but also by board
of directors. In this guest post, Yelena Barychev, a partner at a
multi-disciplinary law firm, and Jane Storero, a former VP at an energy
provider, will explore the types of questions healthcare company boards
should be asking regarding the cybersecurity efforts of their companies.

Cybersecurity is one of the top health industry issues of 2016.  In January
2016, the Food and Drug Administration issued draft guidance on management
of cybersecurity in medical devices as it was concerned about cybersecurity
vulnerabilities for medical devices.

What are the board’s responsibilities with respect to cybersecurity?

This is the first question a board should ask. Every director owes
fiduciary duties to the company and its shareholders which are derived from
state corporate law. Generally, the corporate law of most states imposes a
duty of care on corporate directors. This duty requires that the director
act with due care in protecting the assets of the corporation, including
intellectual property or information assets. From this duty of care comes
the board’s obligation to oversee that management’s efforts in the area of
cybersecurity are adequate to protect the company and its assets.

How should the board fulfill this oversight role?

This is the next question a board should ask. The role of risk oversight is
typically considered a role for the full board, but some companies believe
it should reside in the audit committee or risk committee, depending on
industry specific factors and how the company is structured. It’s typically
suggested that the board be briefed on cybersecurity matters no less
frequently than semiannually, but quarterly updates to the board on cyber
issues may be appropriate for some companies depending on the company
specific factors.

The board should be discussing with management the frequency of the reports
to the board on cyber topics and the areas that will be addressed in such
reports. This will ensure the appropriate topics are discussed on a regular
basis to assist the board in fulfilling its risk oversight duties with
respect to cybersecurity.

The board should understand how the cyber risk is identified and addressed
in the company’s risk dashboard. This is where management would identify
the specifics of the risk, including the magnitude of the potential
financial, reputational and other damage to the company if an attack is
successful and the mitigation plan is in place to address such risks. This
would include the restoration of the functionality of the company’s
systems, as necessary, and the confidence of investors, customers and other
constituencies.

Ultimately, the board should discuss the magnitude of the harm that a
cyberattack can cause the company, as well as the company’s intended plans
to address this issue. From this discussion, the board can assess whether
management has the skills it needs to address the risk and also the
adequacy of the mitigation plan. If the board doesn’t have the necessary
skill set to evaluate the company’s cyber capabilities, the board should
have an expert in this area provide advice on the adequacy of the plan.

Cybersecurity plan

Questions for boards to ask regarding a company’s cybersecurity plan
include the following:

How much is the company spending annually on cyberattack prevention and
detection?
What technologies is the company employing to detect and prevent cyber
breaches?
What has management done to train employees and contractors regarding
security practices?
What does the company do to insure that employees and others with access to
the company’s IT systems have been following prescribed protocols?
Are the company’s agreements with third party vendors appropriately
modified to address responsibility for cyber breaches if caused by these
vendors?
Is the company following applicable regulatory guidance and requirements
related to cybersecurity issues?
What kind of insurance coverage does the company maintain for cyber
incidents and what does it cover?
Is the company’s D&O coverage sufficient to cover breach of fiduciary duty
claims that may arise from a cyberattack?

Crisis management plan

Taking action to prevent cyber breaches is important, but it is equally
critical for the company to have an adequate crisis management or incident
response plan ready to be implemented in the event of a cyberattack.

Boards should ensure that the company’s plan clearly delineates roles and
responsibilities. Questions the board should ask related to such crisis
management plan include the following:

What are the elements of the company’s crisis management plan?
What executives have responsibility for implementing such plan?
Have the employees responsible for implementing the plan been appropriately
trained?
Does the response plan address all critical areas like communications to
customers and investors, governmental outreach and IT protocols for
addressing and confining damage?
What notifications are required to be given in the event of a cyberattack?
Are notification protocols outlined in the plan?

Boards can take different approaches in the oversight of cyber risk and
still fulfill their fiduciary duties. Cyber protections and planning for a
cyber breach and recovery isn’t one-size-fits-all. Given the board’s role
of oversight in this process, board members need to be sure they’re asking
the right questions  in order to effectively monitor management’s plans and
progress in this critical area.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160914/f0583b89/attachment.html>