The U.S. Chamber of Commerce is warning federal bank regulators about their plan to impose new cybersecurity requirements on the largest and most interconnected financial institutions and their payment systems.
In a letter to the Board of Governors of the Federal Reserve, the Office of the Comptroller of the Currency and the Federal Deposit Insurance Corporation, the chamber frets that the regulators’ proposal will be too specific and risks creating a compliance-based approach to cybersecurity derided by critics as tick-the-box.
The agencies “should not attempt to impose prescriptive requirements, but support industry efforts to enhance financial sector cybersecurity,” write Tom Quaadman, the executive vice president for capital markets and competitiveness and Ann Beauchesne, senior vice president for national security and emergency preparedness.
It’s a shot across regulators’ bows, who are independent of the administration and enjoy fixed term appointments, but will nevertheless find themselves in a very different world after Donald Trump is sworn in as president.
The three regulators’ plan, published in an advance notice of proposed rule-making last October, will also add to a growing forest of overlapping and sometimes contradictory requirements being foisted on banks, insurance companies and others in the sector, argues the chamber — long a foe of regulation.
The proposed rule-making represents a “proliferation of cybersecurity [regulatory] regimes across the financial sector [that] could be counterproductive by creating additional complexity and compliance requirements without a corresponding improvement of [cybersecurity] outcomes,” they add.
The plan “comes in the context of a misguided rule-making” by the New York state banking regulator, and the Federal Trade Commission’s decision to start a process that could amend the agency’s “safeguards rule” — which governs customer information held by financial institutions.
Taken together, “We are concerned that we face a possible tipping point in the wrong direction in the financial services industry” when it comes to cybersecurity regulation, the letter states.
The three regulators’ plan would impose the new “enhanced” rules only on a certain category of financial institutions — basically those with more than $50 billion in assets, labeled systemically important by the Dodd-Frank financial reforms.
Certain IT systems at those larger institutions — the ones deemed by regulators as “sector-critical” — would be subject to more stringent requirements.
The rule could impose requirements like appointing a board member to be responsible for cyber risks. The chamber argues that cybersecurity has become a “critical area of focus for senior leadership at large financial institutions.” But it observes that “approaches vary based on the risks that an individual entity faces, the systems it operates and data it holds, the maturity and design of its cybersecurity program, and its culture.
“Mandating a particular governance structure … is likely to disrupt current efforts and isolate cyber from an entities’ overall risk management approach.”
Moreover, while overly prescriptive, the proposal is vague in its language, the letter charges, for instance using the terms “critical business functions” and “core business functions” interchangeably; and not defining terms like “sector partners” or “widespread.”
“Cybersecurity is not a one-size-fits-all proposition,” the letter concludes. “Companies must develop cybersecurity programs that are tailored to the risks that they face and their unique operational requirements.”
The original comment period for the rule-making has been extended to Feb. 17.