February 17, 2017

, , , , ,

FSR: Financial Agencies Should Adopt Consistent, Risk-Based Cyber Regulations

“It is critical that the Agencies adopt a risk-based approach to cybersecurity regulation."

FSR: Financial Agencies Should Adopt Consistent, Risk-Based Cyber Regulations
Share This


FSR: Financial Agencies Should Adopt Consistent, Risk-Based Cyber Regulations

Submits Comment Letter on Enhanced Cyber Risk Management Standards ANPR

WASHINGTON, D.C. – The Financial Services Roundtable’s (FSR) technology policy division BITS submitted a regulatory comment letter to financial agencies regarding the advanced notice of proposed rulemaking, “Enhanced Cyber Risk Management Standards” and urged adoption of a risk-based approach to cybersecurity regulation.

“It is critical that the Agencies adopt a risk-based approach to cybersecurity regulation. A risk-based approach would eschew prescriptive requirements in favor of permitting financial institutions to align their cyber risk strategies with their particular risk profiles,” the letter noted. “Rather than imposing a rigid set of requirements that purports to fit the needs of all institutions in this very diverse sector, a risk-based approach would hold institutions accountable to develop a customized, enterprise-wide program of cyber preparedness based on a more accurate assessment of their inherent and residual risks.”

In the letter, FSR/BITS also highlighted the many overlapping cybersecurity regulations facing the financial industry. “The significant efforts undertaken by financial institutions to better coordinate their efforts and continually refine a risk-based approach to cybersecurity have not been reflected in the regulatory landscape. The financial services sector is now faced with an overlapping and ever-multiplying number of frameworks, guidance and tools, such as the Interagency Guidelines Establishing Information Security Standards, the FFIEC Cybersecurity Assessment Tool, the recently revised New York Department of Financial Services proposed cybersecurity regulations for financial services companies, and the OCC’s guidance on third party relationships and risk management.”

“Viewed in isolation, these regulations are each well-intentioned and can contribute to the cybersecurity of the financial services sector. When layered upon one another, however, they create differing and potentially conflicting approaches to cybersecurity, requiring firms’ information security professionals and operating staffs to spend substantial time and resources complying with each individual regulatory requirement instead of developing new methods of mitigating the ever changing cyber risks. In short, the focus becomes compliance with an array of disparate requirements rather than development of a comprehensive, tailored cybersecurity program for the company.”

FSR/BITS recommends that the “Agencies [should] engage in a robust dialogue with the financial services sector to rationalize the current regulatory environment,” calling for a temporary pause in regulatory proceedings and adoption of a more unified approach to cyber risk management as could be achieved through adoption of the NIST Cybersecurity Framework language, organizational structure, and risk-based approach. We fully support collaborating and coalescing around clear and more consistent standards that simplify execution and translates into improved critical infrastructure protection.

To read the full letter click here and to read FSR/BITS’ recently announced 2017 priorities click here.



About The Author

The Financial Services Roundtable represents the largest integrated financial services companies providing banking, insurance, payment and investment products and services to the American consumer. Member companies participate through the Chief Executive Officer and other senior executives nominated by the CEO. FSR member companies provide fuel for America’s economic engine, accounting for $92.7 trillion in managed assets, $1.2 trillion in revenue, and 2.3 million jobs.

Follow @FSR