Washington, DC, February 17, 2017 – SIFMA, jointly with the American Bankers Association (ABA) and Institute of International Bankers (IIB), today submitted comments to the Board of Governors of the Federal Reserve System (“Fed”), the Office of the Comptroller of the Currency (“OCC”), and the Federal Deposit Insurance Corporation (“FDIC”) (collectively, “the Agencies”) regarding their joint advance-notice of proposed rulemaking (“ANPR”) on Enhanced Cyber Risk Management Standards.

The Associations commend the Agencies for their proactive review of the cybersecurity landscape and thoroughness in seeking insight from industry participants on the front lines. The Associations share the Agencies’ goal to strengthen and improve cybersecurity in the financial sector. The comment letter addresses the comprehensive and sophisticated questions posed by the Agencies in the ANPR, reviews the extensive industry and regulatory cybersecurity frameworks already in place, and highlights that prescriptive new regulatory requirements are unnecessary at best and could in fact hamper cybersecurity practices, leaving guidance as the most effective path forward for enhancing cybersecurity.

“Cybersecurity is a top priority for financial institutions, which are dedicating significant resources every day to help protect clients and the integrity of the financial system. Financial institutions also dedicate a significant amount of time and resources toward compliance with an already robust, expanding, and often overlapping, set of cybersecurity regulations,” said Kenneth E. Bentsen, Jr., SIFMA president and CEO. “Firms report that approximately 40 percent of corporate cybersecurity activities are compliance-oriented rather than security-oriented. As such, it is imperative that regulators avoid imposing new rules with unnecessary or duplicative requirements that could deter valuable and finite resources. We are encouraged by the Trump Administration’s Executive Order calling for a review of financial regulation and urge regulators to thoroughly review the risks and unintended consequences that could arise from new cyber regulation.”

The Associations’ comments note the extensive work that has been done by regulators and industry alike to develop core principles and practices that are risk-based and harmonized across the regulatory environment. Financial institutions have already designed cybersecurity programs to align with the NIST Cybersecurity Framework – developed with the input of over 3,000 experts and considered the hallmark for cybersecurity practices – and to comply with federal cybersecurity regulations such as those promulgated under the Gramm-Leach-Bliley Act, which also adopt risk-based approaches to cybersecurity.

If any new rule is promulgated, it should adopt a risk-based approach consistent with the global approach used in voluntary frameworks such as the NIST Cybersecurity Framework, setting control objectives rather than prescriptive requirements. Specifically, the Agencies should consider the risks of certain provisions within the ANPR, which include: (1) arbitrary application of the ANPR to entities with $50 billion in assets (regardless of risk), unnecessarily placing regional financial institutions in-scope; (2) creation of a mandatory two hour recovery time objective irrespective of active cyber threats, potentially forcing targeted institutions to choose between resuming services prior to firm readiness, or resuming services after the two-hour window if necessary and facing noncompliance ramifications; and (3) lack of harmonization with existing industry standards, which exacerbates existing industry cyber risks by forcing information security personnel into compliance functions, rather than actively defending their institutions. The comment letter further outlines the Associations’ views on the Agencies’ proposals and is available here: www.sifma.org/resources/submissions/sifma-aba-and-iib-submit-comments-to-multiple-agencies-on-enhanced-cyber-risk-management-standards/

 

-30-

SIFMA

SIFMA is the voice of the U.S. securities industry. We represent the broker-dealers, banks and asset managers whose nearly 1 million employees provide access to the capital markets, raising over $2.5 trillion for businesses and municipalities in the U.S., serving clients with over $18.5 trillion in assets and managing more than $67 trillion in assets for individual and institutional clients including mutual funds and retirement plans. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit http://www.sifma.org.

ABA

The American Bankers Association is the voice of the nation’s $16 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2 million people, safeguard $12 trillion in deposits and extend more than $9 trillion in loans. www.aba.com

IIB

The Institute of International Bankers is the only national association devoted exclusively to representing and advancing the interests of the international banking community in the United States. Its membership is comprised of internationally headquartered banking and financial institutions from over 35 countries around the world doing business in the United States. The IIB’s mission is to help resolve the many special legislative, regulatory, tax and compliance issues confronting internationally headquartered institutions that engage in banking, securities and other financial activities in the United States. Through its advocacy efforts the IIB seeks results that are consistent with the U.S. policy of national treatment and appropriately limit the extraterritorial application of U.S. laws to the global operations of its member institutions. Further information is available at www.iib.org.