The banking groups say they support the rule's policy goals, but want to alter its reporting threshold.

The rule requires financial services companies to notify regulators within 36 hours of a major cyber incident, but that's just for starters.

FDIC’s Howard Whyte and RedSeal’s Wayne Lloyd detail how network modeling of cloud and on-premise infrastructure help CIOs and security teams mitigate risk.

Three professional associations for bean-counters argue that any regulation should only set high-level principles or flexible frameworks — not specific or prescriptive rules which might be duplicative and could become quickly outdated as hacker threats evolve.