As cybersecurity continues to become more of a mainstream business issue, CEOs, boards of directors and line-of-business leaders are becoming increasingly aware of the risks that cybersecurity vulnerabilities place on the enterprise.

 This is part of the reason why the U.S. Securities and Exchange Commission (SEC) recently proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting by publicly held companies.

 HMG Strategy Founder and CEO Hunter Muller recently caught up with Kevin Powers, Founder and Director of the Masters of Science in Cybersecurity Policy & Governance Programs at Boston College, to help CISOs and other stakeholders to better understand what the proposed SEC requirements mean for organizational leaders.

 Hunter Muller: Kevin, great to have you here today. What are some of your responsibilities in addition to your role at Boston College?

 Kevin Powers: Along with my duties at Boston College, I’m also a cybersecurity research affiliate at MIT Sloan School of Management where I also teach a course that we’re launching this November in cybersecurity. It’s focused on executive education in cybersecurity for the board of directors. I also serve on a couple of boards in the industry, one with HYCU, which does data backup and protection, they’re Bain Capital-owned. I’m also on the board of Redding Cooperative Bank, they’re a regional bank here in Boston approaching a billion dollars in assets.

 HM: Thanks, Kevin. There’s also some news from the SEC that’s coming down the pike here that everyone really wants to know more about.

 KP: This is something that’s moving very quickly and impacts publicly traded organizations and wealth managers as well. The SEC came out with these proposed rules dealing with cybersecurity and they asked for comment, and they opened it up for 90 days of comment.

 There are four keys to the proposed rules and I’m not going to go overly lawyer on you, Hunter. But what our audience should know is that there’s a new reporting requirement proposed. It doesn’t mean it’s going to happen, but it looks like the SEC wants to get all of this in place, regardless of the comments they receive.

 First, it would be a four-day reporting requirement for any publicly traded organization that suffers a material incident. The definition of an incident is kind of loosey-goosey here, so it’s not really clear what they mean by that, so they have to tighten that up. But organizations will be required to report within four days of a “material” incident occurring. This could include unlawful access – it could be an employee, it could be someone else and not rising to the level of a data breach, exposing hundreds of thousands or even dozens of personally identifiable information that could count as a material breach under the new proposed rules.

 This could put a lot of companies under the gun on what they report, when they report, or are they going to be over-reporting. Which, if you’re a publicly held company, this is going out to your shareholders and could really impact your shares. Because every time you report something, there’s going to be a hit to your brand. So that’s one.

 Second, it also requires reporting of publicly traded organizations to put forth what they’re doing to protect the personally identifiable information in their network’s systems. It’s not something that the SEC is really allowed to do – to put forth rules and regulations on how you’re going to set up your program. But the way this comes out is you have to identify – disclose - what you’re doing for cybersecurity and data privacy in listing how you’re putting your program together in your annual disclosures. It’s really taking from New York’s Department of Financial Services Part 500 with their requirements.

 The third requirement really goes to the board of directors. There’s a proposed requirement that boards of directors be educated in cybersecurity and also an option to appoint an expert in cybersecurity to public traded boards. If you’re going to do that, you have to highlight and note what that person’s expertise is, where they were educated, what type of education they’ve received, and what their true background is in cybersecurity.

 So, it’s really putting a lot on the board of directors to understand cybersecurity. And I’ve been saying this a lot, that the business of cybersecurity is business. This is a business risk and it’s going up to the board and the board really has to recognize this as though they’re a tech company. No matter what industry you’re in, you’re a technology company -- cybersecurity is essential to your business, and you have to have oversight on that and understand it and work with management to manage it properly.

 The fourth proposed SEC requirement goes back to senior management. Senior management, along with the board, has to put forth what they’re doing in evaluating and building out a cybersecurity risk-based program.

 Those are the four proposals that are out there right now. The document, I believe, is 129 pages long. That’s my cliff notes approach to what’s coming down the pike and how it’s going to impact companies.

 HM: Fantastic, thank you so much for sharing that with us, Kevin. So, what are the implications for CEOs and the C-suite and boards?

 KP: The implications are that there’s been a lot of talk about how boards have to become more active. I think this is really pushing boards and senior management to recognize cybersecurity as a core business function. It’s no longer going to be left to the IT department or just to the CISO and security teams. It’s at the board-level and there could be potential liabilities for board members if they’re not following cybersecurity and looking at it as an essential part of their business. They have to be able to understand it, ask the right questions, digest the answers that come back, and then follow-up and be an active player in cybersecurity, like they would with any other business risk.

 No matter what industry you are in, cybersecurity is a key component. So, along with understanding what you’re doing in the industry, you have to understand what type of data you’re collecting, what your business systems are, and understand what could happen if there’s some sort of data breach or breach of your network systems and what steps are needed to effectively respond, mitigate, and recover. This includes how they’re investing in the program, how they’re designing and building that out, how they’re working with chief information security officers, chief security officers, lawyers, and, most importantly, the business units to implement the right program based on the unique risks each company is facing.

 HM: Great stuff, Kevin. It sounds to me like the federal government is activating the private sector to power up the defenses.

 KP: Yes, and it pains me to say this as a Boston guy, but New York was really at the forefront on this with the DFS Part 500 rules and regulations that came out in 2017. They really took the NIST framework and codified it and they put out these requirements that every organization shall do if you’re a financial institution regulated by the New York Department of Financial Services. What you’re now seeing with the SEC proposed rules is a push to force the hand of organizations to to implement and follow these best practices.

 What’s coming out now is no longer ‘You should follow best practices,’ rather it’s ‘Now you shall!’ If you don’t, well, you could not only hurt your business, but also you could suffer the wrath of the regulators.

 HM: What I love about our network and our role at HMG Strategy is that we’re the largest trusted independent network of CISOs, CIOs and CTOs around the world. Independence matters, really having that objective point of view, right?

 KP: It really does. You need that objective point of view. Also, if you look

at what the SEC is doing and what all the different regulators are coming out with, at least it’s not as stringent as check-the-box compliance. It’s still based on your organization’s unique risk. It’s risk-based, and it gives organizations the objective and subjective side of the house by saying, ‘Hey, you have to do these 10 things, but along with those 10 things, you have the freedom, subjectively, to build a program that really fits your business.’ It’s not cookie-cutter.

 HM: Tell us a little bit about you, your background and your passion. You’re the founder of this amazing movement at BC.

 KP: I’ve been a lawyer for the past 23+ years. I started in the U.S. Department of

Justice, first working with the U.S. Marshals Service and the U.S. Attorney’s office. Then, I went off to the Navy JAG Corps for five years, which was a great time. I got involved with academic side and became a JAG officer. I was the Deputy General Counsel at the U.S. Naval Academy in Annapolis.

 From there, I worked in private firms in Boston and Washington, DC. I went in-house and continually taught. I taught at Boston College, taught at Boston University and, in 2016, built this program with the then-current Dean (of the Woods College of Advancing Studies) Father James Burns and BC signed off on it. Next thing you know, I was at Boston College. If I’d planned to be in academia, it would never have happened. I just got lucky.

 HM: So, a real entrepreneurial streak in you there. That’s amazing!

 KP: Exactly, and cybersecurity, as you know, Hunter, is changing every day. You have to be innovative and you have to look at all the different emerging technologies. But you also have to evaluate business strategies, as well. It’s not based on tech. We’ve always said this, that cybersecurity is not a tech issue, it’s a business issue that needs to be managed with the senior leaders, senior management, the board of directors, taking a holistic approach, and it’s all based on understanding your risk and managing that risk effectively.

HM: Why is it so important that cyber executives get a business mindset around assessing the risk profile, finding out where the risk assets are, and then protecting those crown jewels?

 KP: It’s very important because everyone who works for an organization needs to be thinking cybersecurity. Whether you’re the receptionist or you’re the chairperson of the board or you’re the CEO because ‘the business of cybersecurity is business.’ Why is it important at that board level to understand cybersecurity? Because it is a key function for their business and, as such, it is part over their oversight responsibilities.

 HM: It’s about creating a culture of security across the organization. But the CISO also needs to be effective with the board, the C-suite, and the line of business. What are some recommendations there?

KP: Cyber culture needs to come down from the board and senior management. If

it doesn’t come down from the board of directors through senior management, employees across the business are not going to take cybersecurity seriously. This is an essential part of any business. So, boards and senior managers first have to understand cybersecurity and why it’s important to their business. And why, if something goes wrong with regards to their security, they could be out of business.

It’s not just the data breaches that happen – there are also network breaches and ransomware attacks. Your brand could be impacted, and you could be down for a month and just think of the hit on the bottom line with that. So, this is a business-first issue, and this is why the SEC and others are coming out with all these regulations. It’s always percolated up, but it hasn’t gotten the attention that’s needed.

When then you talk about the CISO, how can they best communicate to a board? It really can’t be in technical terms. You have to talk in plan language, telling the board of directors and senior management ‘This is where we are in our program, this is where we’re going in our program, and this is where we need to be. This is how we continually must build out our program and this is why we need investment, not just in the technology, but in the people, the processes, and that goes across the entire enterprise.’

 

Key Takeaways:

 

  • Recently proposed SEC cyber regulations for publicly traded companies will likely impose additional pressures on CISOs and company officers on the level of detail they disclose with a “material” security incident and when that information is disclosed – ultimately impacting brand reputation and stock price
  • The proposed SEC regulations will also require publicly traded companies to disclose the steps being taken to protect their network systems, personally identifiable customer data, and for board members to become more knowledgeable about cybersecurity
  • CISOs should communicate in plain language how cybersecurity is a business-first issue with board members along with steps and investments that need to be taken to build the program continuously