May 2, 2024
Cyber Risk

How to Keep Your CEO out of the Witness Chair

Lessons from the UnitedHealth Hack

By Doug Laird

The image of UnitedHealth Group's CEO forced to testify before the US Congress on the massive losses the company and its customers are running up as a result of the ransomware attack is a sight that's going to be burned in the mind of every CISO.

Quantifying Cyber Risk is a very difficult problem, and even the largest companies in the world, like UnitedHealth, can misread their most material risks.

United Health has estimated their recent hack will cost them "up to" $1.6 billion. However, an analysis of the hack by Safe Security, using the FAIR Materiality Assessment Model (FAIR-MAM), found that the financial impact to the company could eventually run at twice that level, potentially reaching over $3.2 billion.

At $3.2 billion, this marks the largest cyber attack in history against a single company. Safe Security CEO Saket Modi spoke with The Wall Street Journal earlier this morning (see story below).

FAIR-MAM analysis of UnitedHealth Group losses - from How Material is that Hack

It has become abundantly clear that not being able to quantify the materiality of cyber incidents is no longer an option.

Organizations can use the Safe Materiality Assessment Module to quantify the probable frequency and potential loss magnitude of cyber events. This data equips cyber risk and security leaders to tune their cybersecurity strategy, prioritize critical gaps, reduce the business risk exposure from cyber events, and ultimately protect shareholder value.

Safe Security in the News

Recognition for our research on material cyber risk

UnitedHealth Under Fire in Congressional Hearings Over Cyberattack

Wall Street Journal, May 2, 2024

"The company's $1.6 billion estimate for this year doesn't include costs likely to occur beyond 2024, such as data breach notifications, dark-web monitoring and litigation, which could reach hundreds of millions of dollars, said Saket Modi, chief executive of cyber company Safe Security."

Using Safe and its Materiality Module, based on FAIR-MAM, organizations can proactively manage materiality pre-, during, and post-incident:

Proactively calculate and track risk before an incident becomes material. The model estimated financial losses from top risk scenarios with FAIR-MAM to cost-effectively target security or cyber insurance investments.

Assess materiality during an incident based on a comprehensive framework tailored to the risk scenarios or business assets targeted. Leverage the insights to prepare for the probable financial impact to follow.

Track materiality post-incident. Forensic and legal discovery related to cyber loss events can continue for extended periods when assessing all immediate primary costs (quantitative in SEC language). Then, there are the secondary (or "qualitative" in SEC language) cost considerations related to the likelihood that the company will be notified of regulatory investigation(s) and/or litigation filed in relation to the breach.

Materiality Is One Component of a Defensible Cyber Risk Practice

Determining materiality is just one component of a defensible cyber risk practice. Safe provides a unified platform for managing all your third- and first-party cyber risks. It answers two critical questions: What are my top cyber risks, and what do I do about them?

Safe empowers the largest global enterprises on their cyber risk journey, including Facebook, Netflix, ADP, Chevron, GSK, IHG, Molina Healthcare, IHG, and Expedia.

Could a UnitedHealth-level cyber disaster happen at your organization? Be ready to answer the question from your CEO or Board about the risk of material impact to your organization's finances. Let Safe Security show you our Materiality Assessment Module.