I had a fascinating conversation recently with Kevin Powers, who reminded me that a large part of our role as technology executives involves keeping up to date with changes in the regulatory landscape. Kevin is the Founder and Director of the Masters of Science in Cybersecurity Policy & Governance Programs at Boston College.
For decades, cybersecurity was perceived as an esoteric component of information technology strategy. But after a series of high-profile attacks, cybersecurity has moved front and center, becoming a source of concern across the modern enterprise. The elevated awareness of cybersecurity partly explains why the reason why the U.S. Securities and Exchange Commission (SEC)
recently proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting by publicly held companies.
In his role as an educator, Kevin helps CISOs and other stakeholders untangle the complexities of the regulatory environment.
“Along with my duties at Boston College, I’m also a cybersecurity
research affiliate at MIT Sloan School of Management where I also teach a course that we’re launching this November in cybersecurity. It’s focused on executive education in cybersecurity for the board of directors,” he explains.
We asked Kevin to talk about the SEC’s proposed changes and give us an overview of how they are likely to impact technology executives.
“This is something that’s moving very quickly and impacts publicly traded organizations and wealth managers as well. The SEC came out with these proposed rules dealing with cybersecurity and they asked for comment, and they opened it up for 90 days of comment,” Kevin says. “There are four keys to the proposed rules and I’m not going to go overly lawyer on you, Hunter. But what our audience should know is that there’s a new reporting requirement proposed. It doesn’t mean it’s going to happen, but it looks like the SEC wants to get all of this in place, regardless of the comments they receive.”
We also spoke about the implications for CEOs, the C-suite and boards.
“The implications are that there’s been a lot of talk about how boards have to become more active. I think this is really pushing boards and senior management to recognize cybersecurity as a core business function. It’s no longer going to be left to the IT department or just to the CISO and security teams. It’s at the board-level and there could be potential liabilities for board members if they’re not following cybersecurity and looking at it as an essential part of their business,” says Kevin. “They have to be able to understand it, ask the right questions, digest the answers that come back, and then follow-up and be an active player in cybersecurity, like they would with any other business risk. No matter what industry you are in, cybersecurity is a key component. So, along
with understanding what you’re doing in the industry, you have to understand what type of data you’re collecting, what your business systems are, and understand what could happen if there’s some sort of data breach or breach of your network systems and what steps are needed to effectively respond, mitigate, and recover.”
