UnitedHealth Group -- answers to written questions from the Senate Finance Committee. Some responses are vague, repetitive and/or don't actually answer the questions. But there are some interesting points to note: * $300 million spent on cybersecurity (cyber staff is 1,300 people) * Still no real detail about how much and what kind of breached data. The ransomware group stole data over a few days -- between Feb. 17 and Feb. 20. * It appears the FBI gave UHG the data that was being ransomed. "The process of analyzing the dataset that was made available to the Company by the FBI is complex and requires significant compute resources because it requires unpacking and unzipping many layers of files within the dataset in order to identify the individuals whose data may be impacted." * More than 14,000 organizations took "temporary funding" loans from UHG, for a total of about $7 billion https://lnkd.in/eSxsWzeT
Vishal Chawla
1mo
Thank you, Kim Nash, for shedding light on this critical issue. I believe Congress should involve cybersecurity experts in these sessions. Here’s why: The maturity of their program, as highlighted, appears more like bureaucratic jargon than a practical, actionable strategy. Allocating $300 million for a team of 1,300 people is commendable, but the focus on having a mature Incident Response Program is concerning. Incident response is crucial, but it addresses problems AFTER the DAMAGE IS DONE! There is a glaring omission in the discussion regarding the prioritization of technical debt on mission-critical applications. Why wasn't this addressed? Furthermore, what strategy is UHG following to implement a proactive threat exposure management program? These are the questions that need answering. The only way to stop hackers is by making it very difficult to hack! If we don't plan effectively, we might as well award ourselves a trophy for a good incident response program. In my opinion, this UHC cyber response to congress represents one of the most inadequate approaches to cybersecurity I've encountered.
Chad Boeckmann
1mo
Who can really answer if $300M on cybersecurity was adequate? For the worlds largest healthcare organization this seems low to me. What percent of the IT budget does that $300M represent? Cybersecurity budgets, including adequately trained and experienced staffing, should be measured as a function of business risk, consumer risk and correlated with company revenue, not IT budget. But that is simply my personal observation over the years.
John Stewart
1mo
I’ve been doing this a little while and I deeply believe that how much money is spent is so the wrong discussion. You can have a little and spend it wisely and a lot and spend it stupidly. Outcomes, measurements and proof, active and constant pen testing, controls maturity, baselines and trend lines. External validation. These are the ways, in my experience.
380 million spent on status quo security and that wasnt enough to protect the company fro becoming a victim of a cyber attack. Maybe its time to ask the question “what are we doing wrong?” https://energycentral.com/c/iu/paradigm-shift-has-begun-managing-cybersecurity-business-risk
Founder and CEO DDN, DDN.QTE, Conference Board ESG Center Fellow, PwC Partner (Ret.), USC Marshall Professor (Fmr.),
1moThanks Kim Nash A notable additional observation. This was also discussed in the Committee hearing, and the problems with this statement are below: "Mandiant now serves as an advisor to the Audit and Financial Committee of the Board. Cybersecurity is already a standing agenda item, and Mandiant will have a seat at the table going forward for those discussions. Mandiant has a deep knowledge of the company, along with broad knowledge and visibility of threats facing the health care industry." 1. The fundamental cybersecurity control issue of having a cyber expert on the UNH board has not been addressed. 2. Mandiant as an outside expert advisor to the board is fine, board's hire experts all the time for financial auditing, legal, compensation, etc. But who on the board understands what Mandiant is advising? See 3. 3. The fiduciary duties of corporate directorship cannot be delegated to outside experts, this responsibility still resides with the UNH board. 4. What does "standing agenda item" mean to a board that doesn't understand the item, and why is it still in the Audit and Financial Committee? No structural reforms have been made by the UNH board that fix the boardroom leadership failures pointed out by Senator Ron Wyden