.jpg)
SIFMA, jointly with the American Bankers Association (ABA) and Institute of International Bankers (IIB), today submitted comments to the Board of Governors of the Federal Reserve System (“Fed”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, “the Agencies”) regarding their joint advance-notice of proposed rulemaking (“ANPR”) on Enhanced Cyber Risk Management Standards.
The Associations commend the Agencies for their proactive review of the cybersecurity landscape and thoroughness in seeking insight from industry participants on the front lines. The Associations share the Agencies’ goal to strengthen and improve cybersecurity in the financial sector. The comment letter addresses the comprehensive and sophisticated questions posed by the Agencies in the ANPR, reviews the extensive industry and regulatory cybersecurity frameworks already in place, and highlights that prescriptive new regulatory requirements are unnecessary at best and could in fact hamper cybersecurity practices, leaving guidance as the most effective path forward for enhancing cybersecurity.
“Cybersecurity is a top priority for financial institutions, which are dedicating significant resources every day to help protect clients and the integrity of the financial system. Financial institutions also dedicate a significant amount of time and resources toward compliance with an already robust, expanding, and often overlapping, set of cybersecurity regulations,” said Kenneth E. Bentsen, Jr., SIFMA president and CEO. “Firms report that approximately 40 percent of corporate cybersecurity activities are compliance-oriented rather than security-oriented. As such, it is imperative that regulators avoid imposing new rules with unnecessary or duplicative requirements that could deter valuable and finite resources. We are encouraged by the Trump Administration’s Executive Order calling for a review of financial regulation and urge regulators to thoroughly review the risks and unintended consequences that could arise from new cyber regulation.”
The Associations’ comments note the extensive work that has been done by regulators and industry alike to develop core principles and practices that are risk-based and harmonized across the regulatory environment. Financial institutions have already designed cybersecurity programs to align with the NIST Cybersecurity Framework – developed with the input of over 3,000 experts and considered the hallmark for cybersecurity practices – and to comply with federal cybersecurity regulations such as those promulgated under the Gramm-Leach-Bliley Act, which also adopt risk-based approaches to cybersecurity.
If any new rule is promulgated, it should adopt a risk-based approach consistent with the global approach used in voluntary frameworks such as the NIST Cybersecurity Framework, setting control objectives rather than prescriptive requirements. Specifically, the Agencies should consider the risks of certain provisions within the ANPR, which include: (1) arbitrary application of the ANPR to entities with $50 billion in assets (regardless of risk), unnecessarily placing regional financial institutions in-scope; (2) creation of a mandatory two hour recovery time objective irrespective of active cyber threats, potentially forcing targeted institutions to choose between resuming services prior to firm readiness, or resuming services after the two-hour window if necessary and facing noncompliance ramifications; and (3) lack of harmonization with existing industry standards, which exacerbates existing industry cyber risks by forcing information security personnel into compliance functions, rather than actively defending their institutions. The comment letter further outlines the Associations’ views on the Agencies’ proposals and is available here: http://www.sifma.org/issues/item.aspx?id=8589965193.
