Who do Boards Blame for HIPAA Breaches and Cybersecurity Incidents?

When a HIPAA data breach occurs questions are asked about the technical, physical and administrative controls that were put in place to secure the data. Companies are put in the spotlight and everyone feels the heat, but new data indicates that the finger of blame is now pointing in a different direction, certainly as far as directors are concerned.

According to a new report by NYSE Governance Services, entitled Cybersecurity in the Boardroom, there has been a shift of blame for data breaches in recent years. It is no longer just the Chief Information Security Officer (CISO) that boards hold responsible for a data breach.

The report shows that the entire C-suite is in for a torrid time. Some directors still pick out one individual in the cross-hairs, while others appear to fire indiscriminately.

Blame for Data Breaches Spread more Widely

According to the report, the Chief Executive Officer (CEO) is most often blamed with the Chief Information Officer (CIO) also taking a considerable amount of heat. Both are clearly in the firing line. However, everyone in the executive team came in third.

Fortunately for CISOs, they have dropped to fourth ahead of board members in fifth place. Unfortunately for all of the above, “others” came last. Boards are not looking very far when it comes to laying blame for data breaches.

NYSE researchers have an explanation for the results on the spreading of blame. “This makes it apparent that responsibility for attacks is being seen as a broader business issue, signaling a shift away from putting the onus squarely on the chief information security officer (CISO) and the IT security team.”

Directors may be ready to blame the whole c-suite for a breach, possibly because of their lack of confidence in the company’s ability to prevent data breaches from occurring. With the volume of cybersecurity attacks now occurring, directors are understandably worried about having their own systems put to the test, and many believe their defenses will come up short.

The survey showed that only 4% of directors were very confident in their cybersecurity defenses, 29% were confident, but the majority – 66% – were less than confident of their company’s ability to resist a cyberattack.

Cybersecurity issues are understandably a hot topic in the majority of board meetings: 81% according to the responses received. 35% talked about cybersecurity in every meeting.

Directors’ Biggest Fears of Data Breaches

Brand Image was a major concern. 41% of directors stated it was their biggest worry. 47% of respondents said the biggest concern was the cost of a data breach, not just the breach response but the potential losses suffered from the exposure of confidential data. If this information was to fall into the hands of a rival company, the potential loss of competitive advantage could prove devastating.

The survey was conducted in conjunction with Veracode and involved 200 directors of public companies across a wide range of industry sectors, including the financial services and healthcare industry. The full report can be downloaded here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.