Wednesday, February 22, 2017

Enhanced cybersecurity standards should be consistent and risk-based, say industry groups

By J. Preston Carter, J.D., LL.M.

Comment letters to the federal financial regulatory agencies from a number of industry groups urge the adoption of a risk-based approach and consistent standards in the agencies’ proposed enhanced cybersecurity standards for big banks. Last October the Federal Reserve Board, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency proposed enhanced cybersecurity risk-management and resilience standards for large and interconnected entities under their supervision, as well as to services provided by third parties to these financial institutions.
SIFMA, ABA, and IIB. In one comment letter, the Securities Industry and Financial Markets Association, American Bankers Association, and Institute of International Bankers noted the "extensive work that has been done by regulators and industry to develop core principles and practices that are risk-based and harmonized across the regulatory environment." The groups also noted that financial institutions have already designed cybersecurity programs to align with the NIST Cybersecurity Framework and to comply with federal cybersecurity regulations such as those promulgated under the Gramm-Leach-Bliley Act, which also adopt risk-based approaches to cybersecurity.
If any new rule is promulgated, they urged, it should adopt a risk-based approach consistent with the global approach used in voluntary frameworks such as the NIST Cybersecurity Framework, setting control objectives rather than prescriptive requirements.
Specifically, the letter states, the agencies should consider the risks of certain provisions within the proposed regulation, which include: (1) arbitrary application of the proposal to entities with $50 billion in assets (regardless of risk), unnecessarily placing regional financial institutions in-scope; (2) creation of a mandatory two-hour recovery time objective irrespective of active cyber threats, potentially forcing targeted institutions to choose between resuming services prior to firm readiness, or resuming services after the two-hour window if necessary and facing noncompliance ramifications; and (3) lack of harmonization with existing industry standards, which exacerbates existing industry cyber risks by forcing information security personnel into compliance functions, rather than actively defending their institutions.
FSR. The Financial Services Roundtable technology policy division BITS said, "It is critical that the Agencies adopt a risk-based approach to cybersecurity regulation." According to the FSR, this would permit financial institutions to align their cyber risk strategies with their particular risk profiles. The letter continued, "Rather than imposing a rigid set of requirements that purports to fit the needs of all institutions in this very diverse sector, a risk-based approach would hold institutions accountable to develop a customized, enterprise-wide program of cyber preparedness based on a more accurate assessment of their inherent and residual risks."
The letter also highlighted the "many overlapping cybersecurity regulations facing the financial industry," such as the Interagency Guidelines Establishing Information Security Standards, the FFIEC Cybersecurity Assessment Tool, the New York Department of Financial Services cybersecurity regulations for financial services companies, and the Office of the Comptroller of the Currency’s guidance on third-party relationships and risk management. "Viewed in isolation," FSR said, "these regulations are each well-intentioned and can contribute to the cybersecurity of the financial services sector. When layered upon one another, however, they create differing and potentially conflicting approaches to cybersecurity."
The FSR called for "a temporary pause in regulatory proceedings and adoption of a more unified approach to cyber risk management … coalescing around clear and more consistent standards that simplify execution and translates into improved critical infrastructure protection."
For more information about cybersecurity standards for financial institutions, subscribe to the Banking and Finance Law Daily.