SIFMA today published its "Principles for Effective Cybersecurity Regulatory Guidance," that provides regulators with SIFMA members' insight on productive ways to harmonize and create effective cybersecurity regulatory guidance. SIFMA's goal is to promote a collaborative approach to cybersecurity that can foster innovation and strengthen efforts to protect financial industry operations and most importantly our clients. This paper is one in a series of initiatives undertaken by SIFMA focused on enhancing the industry's cybersecurity preparedness and practices.
"Cybersecurity is a top priority for the financial services industry, which is dedicating significant resources to protect the integrity of the markets and the millions of Americans who use financial services every day. Effective and consistent regulatory guidance is a critical component of the broader cyber defense effort, as it promotes best practices and accountability across the financial sector," said Kenneth E. Bentsen, Jr., SIFMA president & CEO. "Cyber attacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats. We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work."
Specifically, SIFMA's paper outlines ten foundational principles that can serve as a framework for robust and efficient cybersecurity guidance. SIFMA's recommendations are meant to help regulators as they move forward with plans to review, update and harmonize their cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector's defense and response to cyber attacks.
SIFMA members believe there is an opportunity to enhance regulatory guidance beyond existing requirements to improve the protection of the financial sector, and that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal. The benefits of this partnership approach led to the development of the NIST Cybersecurity Framework, which SIFMA is actively promoting within its membership and encourages regulators to use as a universal structure that can be leveraged as a starting point for creating a unified approach to cybersecurity.
Importantly, SIFMA's paper notes that harmonization of regulatory guidance across agencies and across borders is essential to avoid confusion in the industry and the duplication of efforts. SIFMA recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.
SIFMA's ten principles are as follows:
- Principle 1: The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community
- Principle 2: Recognize the Value of Public-Private Collaboration in the Development of Agency Guidance
- Principle 3: Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical
- Principle 4: Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies
- Principle 5: Agency Guidance Must Consider the Resources of the Firm
- Principle 6: Effective Cybersecurity Guidance is Risk-Based and Threat-Informed
- Principle 7: Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews
- Principle 8: Crisis Response is an Essential Component to an Effective Cybersecurity Program
- Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms' Confidences
- Principle 10: The Management of Cybersecurity at Critical Third Parties is Essential for Firms
The full text of SIFMA's "Principles for Effective Cybersecurity Guidance," which is one in a series of initiatives at SIFMA focused on enhancing the industry's cybersecurity practices, can be found here: http://www.sifma.org/issues/item.aspx?id=8589951691. Over the past several years, SIFMA has brought together experts from across the public and private sectors to better understand the risks involved with a cyber attack and how the industry can be best prepared to thwart an attack. More information on SIFMA's cybersecurity work can be found here: http://sifma.org/issues/operations-and-technology/cybersecurity/overview/