The following is a guest post from Joe Oleksak, a partner in the cybersecurity practice at professional services firm Plante Moran. Opinions are the author’s own.
The breach at Change Healthcare took numerous health plans and medical practices out of operation and compromised the personal information of at least 100 million Americans.
Months later, even as the payment processing company’s billing system came back online, the sheer scale of the breach, the corresponding public outcry, and the continued incidence of health care cyberattacks are still sending wake-up calls to CFOs in all industries.
The impact on Change’s customers, including most of the nation’s hospitals and health systems, was immediate and far-reaching, with more than 100 million notices sent to Americans. The American Hospital Association found that the breach had a financial impact on 94% of hospitals. Most importantly, 74% said operations were impeded, disrupting both patient care and revenue.
The breach also affected Change and its owner, UnitedHealth, whose $22 million ransom payment marked just the beginning of the billions likely to be spent before the company’s response and regulatory investigations conclude.
The CFO takeaway
The unfortunate incident underscores an essential truth for all CFOs: Understanding the digital dependencies within an organization’s revenue cycle, and identifying the vulnerabilities tied to them, are no longer optional. Weak points in these systems can quickly escalate, leading to widespread disruptions and significant financial consequences, including both direct and indirect costs.
For CFOs, the takeaway is clear. Cybersecurity must be viewed as a cornerstone of financial strategy, not an elective “box-checking” exercise. It is a mission-critical effort to ensure operational, business and financial resilience.
Finance chiefs must anticipate future industry demands, regulations, and customer expectations, even in industries not currently facing stringent oversight. Adopting a proactive approach positions an organization not only to endure such scrutiny but also to effectively navigate the shifting realities of current and emerging cybersecurity threats.
How to mitigate risks
What can CFOs do to ensure they have a firm risk-mitigation plan and effective cybersecurity processes in place? Following are some of the top-line considerations and strategies CFOs should incorporate into their own endeavors.
Acknowledge the CFO’s evolving role. Today’s CFOs must step beyond traditional financial oversight to manage the business dependencies of cybersecurity, in addition to and distinct from IT’s focus on technical dependencies. This shift requires CFOs to act as strategic risk managers who understand and anticipate the impact of cyber threats on business continuity and resilience.
In essence, cyber security should no longer be relegated solely to the IT department. Simply directing IT to draft policies or implement controls that check regulatory boxes or to fulfill cyber insurance requirements is insufficient. Instead, CFOs should embed cybersecurity into their strategic planning to protect the organization’s financial health and operations.
Integrate cybersecurity across the C-Suite. CFOs, CEOs, CIOs and CISOs must collaborate more cohesively on cybersecurity strategies, ensuring that processes, policies and assets align to bolster organizational resilience.
Each executive’s unique perspective — financial oversight, strategic direction, technological management and risk-focused security — must converge to create comprehensive, cross-functional plans. This includes clearly defined and regularly tested protocols for vendor management, vulnerability management, business continuity, disaster recovery and incident response.
Effective, ongoing collaboration helps ensure rapid response and minimal operational and financial impact when breaches occur. By collectively engaging in these efforts, C-suite leaders can eliminate blind spots and appropriately manage organizational defenses.
Recognize the distinct roles of IT and cyber security. While CIOs often prioritize the swift implementation of technologies to drive operational efficiency, CISOs are trained to focus on risk management, scrutinizing the vulnerabilities tied to technology assets and the processes they support.
CFOs need to understand these contrasting priorities and recognize the limits of IT’s scope. To build a comprehensive and resilient cybersecurity strategy, CFOs should ensure that IT initiatives align with broader business resilience and growth objectives. This alignment requires leveraging both the CIO’s efficiency-driven mindset and the CISO’s risk-focused approach to create a balanced, cohesive strategy that safeguards the organization’s operations and finances.
Learn cybersecurity basics relevant to the organization and its customers. CFOs should understand key principles like segmentation, which limits the potential damage of a cyberattack by isolating systems and networks.
Additionally, it is vital to grasp the organization’s role within customers’ supply chains and recognize how inadequate data or system protection can affect them. Ask yourself: Are we creating risks for our customers? Is our organization unintentionally failing to properly vet vendors and suppliers?
These considerations highlight the broader responsibility of ensuring that cybersecurity practices not just protect internal assets but also uphold trust and reliability in customer relationships.
Take steps to put alternative business processes into operation in the event of a technology outage. Most people think of financial resilience when they think of the CFO role, but financial resilience and business resilience are intertwined. Do you have business processes in place to operate in a non-technical environment in the event technology is down or unavailable?
Beware of single points of failure. Are you relying too much on one vendor? CFOs should know exactly what vendors they are relying on for mission-critical business processes and operations, along with their supporting systems and vendors. In many cases, having a backup or alternative is desirable from both risk management and business resiliency standpoints, even if it is more costly.
Understand that cybersecurity is as much about vendor risks as it is about securing internal systems. The Change breach showed that vendor risk is not only a concern for IT or procurement. Vendor management is a vital part of a much larger business resilience strategy, which requires integrated frameworks, processes and plans that account for cyber risks, operational impacts and financial resiliency.
A collaborative effort that encompasses these components is required to create a strong ecosystem able to protect the business from cascading threats.
Conduct independent assessments of vendors and internal systems and processes. Cybersecurity is too important to self-regulate and should not be assigned to those who already have a primary role doing something else.
Just as importantly, vendors and service providers that cannot provide a full, independent audit of their preparedness should not be trusted, nor should internal teams be expected to identify weaknesses within their security systems.
Use a trusted and independent third party to find the weak spots in your organization, assess whether vendors are adequately prepared or present significant risks such as those associated with M&A activity, and determine if your people are adequately trained in cybersecurity protocols. These efforts immediately pay for themselves in the event of even a small breach.
It’s important to remember that cybersecurity is not merely a cost center; it is a strategic business imperative that serves as both a shield and a catalyst for growth. The Change Healthcare breach underscores the necessity for CFOs of all industries to embed cybersecurity into the organizational DNA, driving a comprehensive approach that fortifies financial health and operational resilience.
