The Hill: Bolster Cyber Defenses with Streamlined Regulation

The following op-ed was originally published in The Hill on November 1, 2017. 

Cyber crime is now a bigger criminal enterprise than the global narcotics trade. The financial services industry is a top target facing tens of thousands of attacks each day. While regulation and supervision of cyber preparedness has an important role in the collective cyber defense effort, the current landscape of duplicative, redundant and overlapping requirements of multiple regulators can lead to a suboptimal balance of industry resources devoted to compliance versus security.

October marked National Cybersecurity Awareness Month, a prime opportunity for the industry and regulators alike to have assessed how cyber defense and response policies and protocols can be improved to protect our nation’s critical infrastructure, including the financial markets. Enhanced harmonization of regulatory standards and supervision would improve the efficient use of critical cyber resources. In simple terms: financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities.

In fact, large financial institutions report that approximately 40 percent of corporate cybersecurity activities are compliance-oriented rather than security-oriented.

Consider that for the financial services industry there are no fewer than 11 federal agencies that impose some form of cybersecurity requirements. This is in addition to individual states’ requirements and those of self-regulatory organizations such as the Financial Industry Regulatory Authority and the National Futures Association. These rules and guidelines are further layered with standards developed by the National Institute of Standards and Technology and the International Organization for Standardization, which guide financial institutions in setting cybersecurity standards and measuring the adequacy of cybersecurity programs. Large financial institutions may also be subject to additional or different cyber regulations in each region where they conduct business.

Make no mistake, both the industry and our regulators are in complete agreement that cyber security and resiliency are and should be a top priority.  And our collaboration with regulators on the matter has never been greater. Regulators could help enhance defense and resiliency by establishing a unified cyber assessment framework and common set of controls across financial services regulatory bodies. The use of consistent language and terminology in regulations, guidance, rules and examinations would go a long way in promoting efficient cybersecurity spending. The cybersecurity standards developed in 2014 by the National Institute of Standards and Technology could form the basis of this common framework.

To their credit, regulators should be recognized for making strides towards harmonization, including the formation of a Regulatory Harmonization Working Group. The industry also welcomed the President’s May 2017 Executive Order calling for a comprehensive review of cybersecurity efforts across all government agencies.

Cybersecurity is truly a shared objective where the interests of the government and private sector are fully aligned. We are all targets and the industry remains vigilant to confront this risk every day.

For our part, the securities industry is constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, industry exercises, and close coordination between the financial sector and the government, including our regulators. This is a C-Suite and Board-level issue and has been a top industry priority for several years. A strong collaboration between the government and private sector is key to success. Continued work to streamline regulation would strengthen this partnership and help to better protect investors.

Mr. Bentsen is President and CEO of SIFMA. Mr. Bentsen is also Chairman of Engage China, a coalition of 12 U.S. financial services trade associations united in support of high-level engagement with China. Bentsen is SIFMA president and CEO. From 1995 to 2003, Bentsen served as a member of Congress from Texas, where he sat on the House Financial Services Committee (and its predecessor House Banking and Financial Services Committee), and separately on the House Budget Committee.