Ladies and Gentlemen:
The Bank Policy Institute (“BPI”)[1], through its technology policy division known as BITS[2], appreciates the opportunity to comment on the request for information issued by the National Institute of Standards and Technology (“NIST”) regarding the proposed Cybersecurity Framework (“CSF”) update.
When first published in 2014, NIST stated that the CSF would exist as a living document and go through ongoing updates based on industry stakeholder feedback. In the ensuing years, the CSF has helped create an effective common framework for cyber risk management and enabled cross-sector, public-private coordination. It has also spawned useful private sector enhancements such as the Cyber Risk Institute (“CRI”) Profile, which extends the CSF in important areas such as governance and supply chain/dependency management and connects controls to both technical and financial industry regulatory guidance for firms to follow. However, both the day-to-day and strategic cybersecurity landscape of 2022 are vastly more complex than those of 2014. As a result of this more active and intense operating environment, it is imperative that the CSF continues to revise to meet these new challenges and remain a tool for users to identify, respond to, and if needed recover from threats. It is also important to ensure that future revisions do not add complexity and remain focused on technology and cybersecurity risk management.
To read the full comment letter, click here, or click on the download button below.
[1] BPI is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s bank originated small business loans and are an engine for financial innovation and economic growth.
[2] BITS – Business, Innovation, Technology, and Security – is BPI’s technology policy division that provides an executive level forum to discuss and promote current and emerging technology, foster innovation, reduce fraud, and improve cybersecurity and risk management practices for the nation’s financial sector.
