Does everyone feel compelled to comment on cybersecurity issues? It seems that way. And on October 20th the Securities Industry and Financial Markets Association jumped deeper into the fray when it issued its Principles for Effective Cybersecurity Regulatory Guidance. SIFMA goes into substantial depth for each one in the document itself, but without further ado, here they are, followed by my comments or summaries on each:
1. The U.S. government has a significant role and responsibility in protecting the business community.
My former boss John Stark likes to say, “A data breach is the only crime where you’re the victim and you’re treated like a criminal.” Probably true! In that spirit, SIFMA would like the government’s enforcement efforts to be focused on computer criminals and not securities firms that are doing their best to protect their clients’ information.
2. Recognize the value of public–private collaboration in the development of agency guidance.
The Principles cite The National Institute of Standards and Technology’s Cybersecurity Framework (discussed here) as a useful model of public-private cooperation that should guide the development of agency guidance. Along those lines, SIFMA suggests that an agency working group be established that can facilitate coordination across government agencies and self-regulatory organizations, and receive industry feedback on suggested approaches to cybersecurity.
3. Compliance with cybersecurity agency guidance must be flexible, scalable and practical.
Again with the NIST Cybersecurity Framework, which by its terms is “envisioned as a ‘living’ document, improved based on feedback from users’ experiences, while new standards, guidelines, and technology” are built into future versions. SIFMA thinks the same should be true for the standards and practices recommended by agencies.
4. Financial services cybersecurity guidance should be harmonized across agencies.
Here’s what SIFMA says: “Financial regulators should coordinate to avoid a counter-productive proliferation of overlapping standards and overlapping regulators. A diffusion of regulatory principles undermines focus and diverts valuable resources for companies and agencies alike.” They’re right to say this, but oh, dear, this is hard. It’s not easy to get people on board within an agency, or even an agency division. Cross-agency coordination is well-nigh impossible.
5. Agency guidance must consider the resources of the firm.
SIFMA rightly notes that “[s]ophisticated prevention measures are sometimes financially prohibitive for smaller firms and burdensome standards could drive these important players out of the market.” Leaving financial services solely in the hands of giant players who can out-comply smaller ones would be horrendous.
6. Effective cybersecurity guidance is risk-based and threat-informed.
This one is closely related to Nos. 3 and 5. Basically, SIFMA hopes there won’t be regulation for regulation’s sake. “Agencies should premise their guidance on a cost-benefit analysis that takes into account the benefits to firms and consumers versus the compliance costs and potential burdens suffered by consumers.”
7. Financial regulators should engage in risk-based, value-added audits instead of checklist reviews.
I can’t help but see this as a shot at the SEC’s investment adviser cybersecurity examination module, publicly released in April 2014 to help advisers prepare for regulatory exams in this area. As former SEC official Bob Plaze notes here, a one-size-fits-all checklist could be punitive for smaller firms that can’t afford to keep up.
8. Crisis response is an essential component to an effective cybersecurity program.
Needless to say? SIFMA also says explicitly here what it merely implies in No. 1: “Both firms and their clients are the victims when breaches or incidents occur.”
9. Information sharing is foundational to protection, must be limited to cybersecurity purposes, and must respect firms’ confidences.
While SIFMA appreciates the guidance the Justice Department and the Federal Trade Commission have recently given to assuage antitrust concerns associated with inter-firm information sharing to fight computer crime, more such assurances are always better. Put another way, don’t replace one regulatory concern (cybersecurity) with another (antitrust liability).
10. The management of cybersecurity at critical third parties is essential for firms.
Keeping a close watch on third-party vendors is a crucial cybersecurity issue for all businesses. SIFMA would like some help from the government on this huge job: “Regulators should increase their coverage of third parties and put pressure on these third parties to meet the regulatory expectations of the financial services firms that they serve.”
Be careful out there.
