Does cybersecurity matter?
It's time for security leaders to better understand their company's financial position.
How well are you acquainted with your company's finances? Most cybersecurity practitioners are known for their myopic view that prioritizes the best practices suggested by their community or the compliance needs of their board. While well-intentioned, this practice does not address the primary goal of most businesses — driving and securing revenue.
Ask yourself these questions:
Will a ransomware attack or other cybersecurity event drive our organization to bankruptcy?
How will increasing our cybersecurity budget lessen the probability that a cybersecurity incident impacts cash on hand?
According to the latest news reports, United Healthcare has advanced more than $3 billion to providers. This number reflects existing payables due and not the true financial impact of their recent ransomware attack.
We’ll see how the incident develops (the next earnings report is scheduled for Tuesday, April 16th), but in their most recent 8-K report they stated their position clearly:
The Company has not determined the incident is reasonably likely to materially impact the Company’s financial condition or results of operations.
- UnitedHealth Group Incorporated 8-k Item 1.05 (March 8, 2024)
For a better estimation of their probable financial impact, it's best to look back to the 2014 Anthem breach. At its lowest, the total cost for Anthem was approximately $450 million. This is $587 million in 2024 after adjusting for inflation (Bureau of Labor Statistics' Consumer Price Index).
Here's a snapshot of the NAIC regulatory settlement agreement and Anthem's 2016 annual report to give you an idea of loss amounts as they are reported by the company and its regulators.
Depending on the regulatory response and given that Alphv/Blackcat or related parties does not leak United's PHI, I agree that the attack will not have a material impact on United's financial position and shareholders as stated in their recent 8-K.
Yes, the United attack has disrupted the US healthcare ecosystem and may drive some entities to bankruptcy. But, UnitedHealthcare has a solid cash position of $30 billion* that will let them sleep soundly.
So, what is the true value of cybersecurity?
It all depends on the financial standing of your company. For every UnitedHealth, there are companies like Blackbaud and Clorox who have had material cybersecurity impacts as noted in their 10-K/10-Q’s.
There have also been others who have filed for bankruptcy or went out of business due to a cybersecurity event namely ransomware.
For more details on the incident:
We will be presenting a full comparative analysis of the UnitedHealth, Clorox and Blackbaud ransomware incidents at the 2024 Central Ohio InfoSec Summit. A full presentation will be available after the event.
What can we learn from this?
To better advocate for yourself and your program, it is imperative to understand how cybersecurity fits into the bigger financial picture.
Have intimate knowledge of the real financial impact that cybersecurity has had on others within your industry and leverage this information as needed.
Ask your leader for their perspective, “Should we invest in prevention or hoard cash to aid in resilience?”
*Does not include the true cash position of UnitedHealth such as its current or non-current marketable securities
 | A guest post by
|