In advance of proposed rulemaking on federal cyber risk management standards, the Financial Services Roundtable (FSR) is urging financial agencies to adopt a risk-based approach to cybersecurity regulation.
Among the financial agencies addressed, FSR sent a letter last week to officials at the Federal Reserve Board of Governors, Office of the Comptroller of Currency, and the Federal Deposition Insurance Corporation.
“A risk-based approach would eschew prescriptive requirements in favor of permitting financial institutions to align their cyber risk strategies with their particular risk profiles,” the letter said. “Rather than imposing a rigid set of requirements that purports to fit the needs of all institutions in this very diverse sector, a risk-based approach would hold institutions accountable to develop a customized, enterprise-wide program of cyber preparedness based on a more accurate assessment of their inherent and residual risks.”
The letter also highlighted the many cybersecurity regulations facing the financial industry.
“The significant efforts undertaken by financial institutions to better coordinate their efforts and continually refine a risk-based approach to cybersecurity have not been reflected in the regulatory landscape,” the letter said. “The financial services sector is now faced with an overlapping and ever-multiplying number of frameworks, guidance and tools, such as the Interagency Guidelines Establishing Information Security Standards, the FFIEC Cybersecurity Assessment Tool, the recently revised New York Department of Financial Services proposed cybersecurity regulations for financial services companies, and the OCC’s guidance on third party relationships and risk management.”
While these regulations can be effective in preventing cyberattacks, there may be duplication.
“When layered upon one another, however, they create differing and potentially conflicting approaches to cybersecurity, requiring firms’ information security professionals and operating staffs to spend substantial time and resources complying with each individual regulatory requirement instead of developing new methods of mitigating the ever-changing cyber risks,” the letter said. “In short, the focus becomes compliance with an array of disparate requirements rather than development of a comprehensive, tailored cybersecurity program for the company.”
FSR’s technology policy division BITS calls for a temporarily pause in regulatory proceedings and asks for the agencies to engage in a dialogue with the financial services sector to come up with a risk-based approach to cyber risk management.
“We fully support collaborating and coalescing around clear and more consistent standards that simplify execution and translates into improved critical infrastructure protection,” the letter said.