I had a fascinating conversation recently with Kevin Powers, who reminded me that a large part of our role as technology executives involves keeping up to date with changes in the regulatory landscape. Kevin is the Founder and Director of the Masters of Science in Cybersecurity Policy & Governance Programs at Boston College.
For decades, cybersecurity was perceived as an esoteric component of information technology strategy. But after a series of high-profile attacks, cybersecurity has moved front and center, becoming a source of concern across the modern enterprise. The elevated awareness of cybersecurity partly explains why the reason why the U.S. Securities and Exchange Commission (SEC)
recently proposed amendments to its rules to enhance and standardize disclosures regarding cybersecurity risk management, governance, and incident reporting by publicly held companies.
In his role as an educator, Kevin helps CISOs and other stakeholders untangle the complexities of the regulatory environment.
โAlong with my duties at Boston College, Iโm also a cybersecurity
research affiliate at MIT Sloan School of Management where I also teach a course that weโre launching this November in cybersecurity. Itโs focused on executive education in cybersecurity for the board of directors,โ he explains.
We asked Kevin to talk about the SECโs proposed changes and give us an overview of how they are likely to impact technology executives.
โThis is something thatโs moving very quickly and impacts publicly traded organizations and wealth managers as well. The SEC came out with these proposed rules dealing with cybersecurity and they asked for comment, and they opened it up for 90 days of comment,โ Kevin says. โThere are four keys to the proposed rules and Iโm not going to go overly lawyer on you, Hunter. But what our audience should know is that thereโs a new reporting requirement proposed. It doesnโt mean itโs going to happen, but it looks like the SEC wants to get all of this in place, regardless of the comments they receive.โ
We also spoke about the implications for CEOs, the C-suite and boards.
โThe implications are that thereโs been a lot of talk about how boards have to become more active. I think this is really pushing boards and senior management to recognize cybersecurity as a core business function. Itโs no longer going to be left to the IT department or just to the CISO and security teams. Itโs at the board-level and there could be potential liabilities for board members if theyโre not following cybersecurity and looking at it as an essential part of their business,โ says Kevin. โThey have to be able to understand it, ask the right questions, digest the answers that come back, and then follow-up and be an active player in cybersecurity, like they would with any other business risk. No matter what industry you are in, cybersecurity is a key component. So, along
with understanding what youโre doing in the industry, you have to understand what type of data youโre collecting, what your business systems are, and understand what could happen if thereโs some sort of data breach or breach of your network systems and what steps are needed to effectively respond, mitigate, and recover.โ
