BPI and ABA Recommend Office of the National Cyber Director Harmonize Cyber Regulations

Dear Ms. Walden,

The Bank Policy Institute (“BPI”) and American Bankers Association (“ABA”) (collectively, the “Associations”) welcome and appreciate the Office of the National Cyber Director’s (“ONCD”) Request for Information on Cybersecurity Regulatory Harmonization (“RFI”). This is an important opportunity to assess the effect of overlapping and duplicative regulation and develop a streamlined framework to improve security across critical infrastructure sectors.

The Associations support the National Cybersecurity Strategy’s focus on improving
baseline security practices across industry sectors. The strategy also recognizes that increased regulatory focus on cybersecurity, if not carefully calibrated and aligned across government and independent regulators, can have unintended adverse effects. As the Federal government contemplates harmonizing existing cyber regulations and where new regulatory regimes might be appropriate, we encourage a balanced approach that considers the effect on front-line cybersecurity personnel to ensure they are able to meet compliance requirements while maintaining critical day-to-day operational responsibilities.

Financial institutions have complied with myriad security, privacy, operational resilience
and third-party risk management requirements for decades and have worked closely with
prudential financial regulators—the Office of the Comptroller of the Currency (“OCC”), Federal Reserve Board (“FRB”), and the Federal Deposit Insurance Corporation (“FDIC”)—to
encourage coordination where possible. We offer the following recommendations based on these experiences:

  • Regulators should coordinate with each other to lessen the effect of overlapping
    requirements
    — Most cybersecurity requirements for financial institutions are not directly duplicative due to slight variations in regulators’ authorities. However, they generally apply to the same sets of activities, policies, and procedures within firms. The collective effect of supervision and oversight can cause significant strain on firms’ personnel, resources and ability to focus on innovation and keeping up with dynamic threats. Regulators should be cognizant that their requirements may overlap and should work with each other to coordinate and share information so the regulated entity can focus on risk management activities rather than compliance.
  • Regulators should have practical experience and subject matter expertise — Effective oversight requires that agency staff be well-versed in the industries they regulate. This expertise helps promote realistic supervisory expectations and allows cyber professionals to spend more time on security operations.
  • Common standards and frameworks can support effective risk management and supervision — By leveraging established frameworks, regulated entities can prioritize resources and make well-informed security investments. Common standards also allow regulators to tailor examinations and generate comparable responses across regulated entities.
  • Increased regulatory reciprocity will help cyber professionals keep pace with rapidly evolving threats — A holistic reciprocity framework with streamlined oversight requirements would relieve regulated entities from demonstrating compliance with the same or substantially similar requirements to multiple regulators.

To read the full comment letter, please click here, or click on the download button below.