Skip to main content

Policy Leaders’ ‘Enormous Role’ in Cybersecurity Compliance

Back to All News
Charlie Harry at Cyber Forum

Smith, School of Public Policy Deliver UMD’s 18th Forum on Financial Information Systems and Cybersecurity

Tremendous opportunity for policy students lies in an emerging and needed interdisciplinary approach to “making cyber and law work together.” This, according to privacy and cybersecurity attorney Kirk Nahra in delivering the Ira H. Shapiro Memorial Lecture as part of the 18th Forum on Financial Information Systems and Cybersecurity: A Public Policy Perspective.

The event, interdisciplinary in itself as hosted by the Robert H. Smith School of Business and School of Public Policy at the University of Maryland, took place on Jan. 11, 2023. Public Policy Dean Robert C. Orr addressed the international gathering of experts from academia, business and government, as did Smith Dean Prabhudev Konana and Accounting and Information Assurance Department Chair Michael Kimbrough.

Konana noted cybersecurity as a priority in a move to deeply and broadly integrate Smith within the university by “increasing cross-disciplinary and cross-department research on existing and emerging grand challenges.”

Nahra’s presentation followed. It reinforced the Smith leader’s remarks.

“We are moving to cybersecurity as a legal requirement as well as a smart, practical priority for companies,” said Nahra, a partner at WilmerHale in Washington, D.C. “However, it’s a funny kind of legal requirement. The legal standards essentially require companies to implement reasonable and appropriate safeguards.”

“Lawmakers know that specific cybersecurity rules directing companies to ‘do X, Y and Z’ can become outdated the next day,” Nahra said. So, legal rules are compliance principles “driven by risk analysis rather than specific compliance requirements – they’re couched as compliance requirements, but they’re really business standards for ‘reasonable and appropriate.’”

Companies knowing “whether they’re doing enough” begins with associated IT and legal experts getting comfortable with each other to make such a judgement. And the business issues are critical, he added. “But few senior leaders, especially in the C-suite, really understand cybersecurity and the legal requirements.”

A company’s cybersecurity issues “need to percolate with clients, customers and business partners,” Nahra said. Vendors more and more cause security incidents for businesses, and the M&A area is high-risk for breaches in newly acquired operations. So, the interdisciplinary approach also applies externally, as it’s smart for companies to work with one another to produce common, mutually beneficial approaches and best practices. “This means an enormous role for business leaders, but they need to be better educated.”

Following Nahra, Rebecca Mercuri, digital forensics expert and founder of Notable Software, presented “The Weird World of Financial Fraud Cyber Scams” including a note that US consumers reported a record $3.56 billion in online fraud in first half of 2022 — a nearly 50-percent increase from the same period in 2021. Imposter scams, she said, represented the highest percentage. And during the pandemic, mobile banking increased by 200 percent in new registrations, leaving banks vulnerable to risk.

Mingyan Liu, UMD graduate (MS in Systems Engineering, ‘97 and PhD in Electrical Engineering ‘00) and professor of electrical engineering and computer science at the University of Michigan, presented “Internet Scanning for Cyber Risk Quantification: Past, Present, and Future.” She was followed by Charles Harry, director of the Center for Governance of Technology and Systems (GoTech) and Associate Research Professor in the School of Public Policy. He described his work behind the Strategic Disruption Index (SDI) to assess the loss of effective transportation network capacity of passengers resulting from various cyber-attack scenarios. It was part of his talk, “Estimating Strategic Cyber Consequences in the Air Sector.”

Luncheon speaker and NSA senior executive David R. Imbordino recounted his role as NSA Elections Security Lead to counter potential foreign interference in the 2020 election. He further described the evolution in NSA’s cyber security activities and partnerships with government partners and the broader ecosystem of industry and academia.

Closing out the forum, Sasha Romanosky, senior policy researcher at the RAND Corporation, spoke on “Federal Reinsurance for Catastrophic Cyber Losses."  Shouhuai Xu, professor of computer science at the University of Colorado-Colorado Springs, discussed “Repeated Data Breaches and Firm Value." L. Jean Camp, professor Informatics at Indiana University, presented “SBOM: A Cure for the Lemons Market in Security?” And Christian Lowry, senior risk analyst for the Cybersecurity and Infrastructure Security Agency, presented “Assessing National Cyber Risk: Approaches and Actions.”

The forum is organized by Public Policy faculty Charles Harry and William Lucyshyn, research professor and director of research for the Center for Governance of Technology and Systems, along with Smith faculty Lawrence A. Gordon, EY Alumni Professor of Managerial Accounting and Information Assurance and Martin Loeb, professor of accounting and information assurance and a Deloitte & Touche Faculty Fellow.

Gordon, Loeb and Lucyshyn launched the forum after researching together on the “economics of information sharing related to cybersecurity breaches.” After presenting the work in 2002 at a University of California -Berkeley conference, the paper was published in the Journal of Accounting and Public Policy.


Article and images provided by the Robert H. Smith School of Business

For Media Inquiries:
Megan Campbell
Senior Director of Strategic Communications
For More from the School of Public Policy:
Sign up for SPP News