All persons with boards should be making sure that the individual board members are meeting their common law fiduciary duties, including those of loyalty and care.
According to the American Hospital Association’s 2022 Hospital Statistics, there are 6,093 hospitals in the United States with investor-owned (i.e., for-profit) hospitals accounting for 1,228 facilities. While most hospitals have boards of directors, perhaps except for government facilities, those facilities that are part of a health system that is publicly traded, such as Tenet Healthcare Corp. (NYSE: THC), HCA Healthcare Inc. (NYSE: HCA), and Community Health Systems, Inc. (NYSE: CYH), have additional obligations imposed by securities laws and related U.S. Securities and Exchange Commission (SEC) requirements.
All persons with boards should be making sure that the individual board members are meeting their common law fiduciary duties, including those of loyalty and care. Arguably, since a board of directors always has a duty to act for the good of an organization, that duty should extend to the knowledge of board members to evaluate cybersecurity risk as part of the entity’s strategic plan and enterprise risk management strategy. It is imprudent for the board of directors to be involved in the day-to-day operations of an entity – it’s not their role and it could increase their liability.
For publicly traded companies, including the aforementioned health systems, appreciating current obligations under the Exchange Act of 1934, the Sarbanes-Oxley Act of 2002 (SOX), and previous guidance issued by the SEC regarding cybersecurity, it is imperative to appreciate the SEC’s proposed rules, which relate to public companies and cybersecurity. Specifically, the proposed rules both build on existing requirements and add some new obligations, as follows:
A couple of notable observations: (1) the board of directors is specifically mentioned; (2) policies and procedures (NOTE: an organization should have two sets - one that is comprehensive and one that provides enough substance for most employees and the public without putting an organization at risk); and (3) Inline XBRL has been around for a while and “is a freely available global framework of accounting standards used for exchanging business information.” Public companies and registrants (those persons who are registered with the SEC), should have already integrated XBRL with SOX Sections 302 and 404.
For those in the healthcare sector, here are a few key areas that boards and companies alike should be focused on in relation to cybersecurity, risk mitigation, and liability for both individuals and companies:
In putting the final “bow” on this gift, placing qualified individuals on publicly traded companies’ boards in particular, may lead to reduced risk, lessened legal liability, and greater peace-of-mind. Government investigations, individual lawsuits, and class actions are unequivocally more expensive than an annual risk analysis and adequate due diligence when acquiring or merging with companies. Yet, many persons choose to ignore this and end up paying a much large price – financially, legally, and reputationally, later.
Rachel V. Rose, JD, MBA, advises clients on compliance, transactions, government administrative actions, and litigation involving healthcare, cybersecurity, corporate and securities law, as well as False Claims Act and Dodd-Frank whistleblower cases.