Cyber risk has become a key regulatory concern for companies in the wake of several high-profile breaches. Regulators are paying increasing attention to the obligations of corporate boards concerning cyber security, particularly in the healthcare industry (see our prior blog posts here and here). It is therefore concerning that early survey results recently released by the National Association of Corporate Directors (NACD) found that only 11% of the 1,034 directors responding to the survey believe that their boards have a high level of understanding of cyber risks. Directors of healthcare entities admit to the least understanding, with 30% indicating that they have “little knowledge” about such risks. Equally alarming was the finding that almost one-third of the outside directors surveyed are dissatisfied with the quality of information provided by management with respect to cybersecurity, and half are dissatisfied with the quantity of that information.
In view of these NACD survey results and the continuing risk of security breaches, it is incumbent on healthcare boards to request and receive necessary education on the risks their organizations face and what is being done to proactively address cyber risks.