Cyber attacks do not need to steal a single bit of data to wreak havoc. They just need to spook management enough to halt business. That alone can prove quite costly.

While boards naturally worry about data breaches and asset theft, it’s business interruption risk that’s too often neglected or ignored—until there’s a crisis.

Intriguingly, increased cyber incident disclosure requirements now show disruptions’ significant financial downside. For instance, in April 2022, Tenet Health temporarily halted some of its business due to an attack. Its Q2 earnings absorbed $100 million in lost business and remediation costs, as management pursues an insurance claim.

Dodging such turmoil requires rare readiness in face of relentless digital danger.

Cyber health

Tenet Health is one of the largest for-profit, health organizations in the U.S. with nearly 600 medical facilities, approximately 6,000 physician partners and over 100,000 employees—enough to handle over 8.5 million patient touchpoints per year.

Such scale, scope and increasing technology reliance also make it an ideal hacking target. Additionally, medical enterprises are highly susceptible to intrusion as they have data-rich patient files and often rely on patchwork IT systems across locations.

As such, on April 26, 2022 Tenet disclosed that in response to a cyber attack that it “immediately suspended user access to impacted information technology applications, executed extensive cybersecurity protection protocols and quickly took steps to restrict further unauthorized activity.”

The press release followed, “While there was temporary disruption to a subset of acute care operations, the Company’s hospitals remained operational and continued to deliver patient care safely and effectively, utilizing well-established back-up processes. At this time, critical applications have largely been restored and the subset of impacted facilities has begun to resume normal operations.”

Yet, the brief shutdown of select services bore material financial consequences.

Cash squeeze

Tenet CEO Saum Sutaria started the Q2 earnings call by disclosing, “Disruptions in the cyber attack clearly added significant pressure on volumes and earnings in April and May. We estimate this incident had an unfavorable impact of approximately $100 million on adjusted EBITDA.”

The accompanying earnings release revealed additional details. Same-hospital adjusted admissions for the quarter decreased 5.3% versus 2021. Accordingly, same-hospital “net patient service revenue per adjusted admission” decreased 0.2% versus 2021 primarily due to “the unfavorable impact of the cybersecurity incident.” Last, Tenet’s accounts receivable days outstanding increased to 59.8 days (from 57.0 days at year-end 2021) due to the cyber attack, as well as changes in Medicaid pay timing.

Tenet CFO Dan Cancelmi, added, “Importantly, we have filed insurance claims [for] these losses and we have ample coverage. While we expect to recover insurance proceeds in the future, we have not included in our 2022 guidance any insurance proceeds in the back half of the year. We did receive $5 million of proceeds in the second quarter.”

While Tenet anticipates reimbursement, cyber insurance recoveries require significant time, effort, expertise and expenditures. Business interruption claims, in particular, rely heavily on assumptions and take longer to adjudicate. Those complicating factors and the CFO’s hesitance on proceeds timing suggest a steep path ahead.

Ten questions

The Tenet Health case reinforces why boards and senior leaders must be increasingly prepared to address rising cyber-related business interruption risk. Here are ten diagnostic questions that credible response plans, as a minimum, must address:

1. Under what cyber threat circumstances would leadership halt operations?
2. What IT system redundancies and controls are employed to avoid shutdowns?
3. Are senior leaders fully prepared to address a cyber attack that would require business interruption?
4. Which senior leader(s) has/have final “kill switch” decision authority?
5. What would be the estimated hourly and daily cash flow effects of closures?
6. Does the current cyber insurance policy include sufficient business interruption coverage?
7. What detail is necessary to file a business interruption claim and does the organization routinely gather such data and prepare similar reports?
8. How frequently are cyber response procedures reviewed, audited and tested to ensure their clarity, adequacy, effectiveness and efficiency?
9. Is the board aware of emergency closure plans and periodic review results?
10. What specific stakeholder disclosures would a shutdown require?

Leadership must establish, understand and trust crisis response plans—especially related to business interruption risk. Substantive answers to these questions help build the strong resolve, tested readiness and reputational fortitude the digital era requires.

Who’s serious about cyber governance or just tempting fate?