Comment
letters to the federal financial regulatory agencies from a number of industry
groups urge the adoption of a risk-based approach and consistent standards in
the agencies’ proposed enhanced cybersecurity standards for big banks. Last
October the Federal Reserve Board, Federal Deposit Insurance Corporation, and
Office of the Comptroller of the Currency proposed enhanced cybersecurity
risk-management and resilience standards for large and interconnected entities
under their supervision, as well as to services provided by third parties to
these financial institutions.
SIFMA, ABA, and IIB. In one comment letter, the Securities Industry and Financial
Markets Association, American Bankers Association, and Institute of
International Bankers noted the "extensive work that has been done by
regulators and industry to develop core principles and practices that are
risk-based and harmonized across the regulatory environment." The groups
also noted that financial institutions have already designed cybersecurity
programs to align with the NIST Cybersecurity Framework and to comply with
federal cybersecurity regulations such as those promulgated under the
Gramm-Leach-Bliley Act, which also adopt risk-based approaches to
cybersecurity.
If
any new rule is promulgated, they urged, it should adopt a risk-based approach
consistent with the global approach used in voluntary frameworks such as the
NIST Cybersecurity Framework, setting control objectives rather than
prescriptive requirements.
Specifically,
the letter states, the agencies should consider the risks of certain provisions
within the proposed regulation, which include: (1) arbitrary application of the
proposal to entities with $50 billion in assets (regardless of risk),
unnecessarily placing regional financial institutions in-scope; (2) creation of
a mandatory two-hour recovery time objective irrespective of active cyber
threats, potentially forcing targeted institutions to choose between resuming
services prior to firm readiness, or resuming services after the two-hour
window if necessary and facing noncompliance ramifications; and (3) lack of
harmonization with existing industry standards, which exacerbates existing
industry cyber risks by forcing information security personnel into compliance
functions, rather than actively defending their institutions.
FSR. The Financial Services Roundtable technology policy division
BITS said, "It is critical that the Agencies adopt a
risk-based approach to cybersecurity regulation." According to the FSR,
this would permit financial institutions to align their cyber risk strategies
with their particular risk profiles. The letter continued, "Rather than imposing a rigid set of
requirements that purports to fit the needs of all institutions in this very
diverse sector, a risk-based approach would hold institutions accountable to
develop a customized, enterprise-wide program of cyber preparedness based on a
more accurate assessment of their inherent and residual risks."
The
letter also highlighted the "many overlapping cybersecurity regulations
facing the financial industry," such as the Interagency Guidelines
Establishing Information Security Standards, the FFIEC Cybersecurity Assessment
Tool, the New York Department of Financial Services cybersecurity regulations
for financial services companies, and the Office of the Comptroller of the
Currency’s guidance on third-party relationships and risk management.
"Viewed in isolation," FSR said, "these regulations are each
well-intentioned and can contribute to the cybersecurity of the financial
services sector. When layered upon one another, however, they create differing
and potentially conflicting approaches to cybersecurity."
The
FSR called for "a temporary pause in regulatory proceedings and adoption
of a more unified approach to cyber risk management … coalescing around clear
and more consistent standards that simplify execution and translates into
improved critical infrastructure protection."
For more information about cybersecurity standards for financial institutions, subscribe to the Banking and Finance Law Daily.
