Don’t Be Like the SEC. Coordinate Often on Cyber Regulations.

BPI submits statement for the record for Senate Homeland Security hearing

Washington, D.C. — The U.S. Senate Committee on Homeland Security and Governmental Affairs is hosting a hearing today to examine ways to streamline federal cybersecurity regulations and improve harmonization among the agencies tasked with enforcing these rules. BPI submitted a statement for the record reiterating its recommendations to identify duplicative and conflicting regulatory regimes, establish common frameworks and promote reciprocity.

Heather Hogsett, senior vice president, technology and risk strategy for BITS, stated:

“Regulations are effective when those responsible for developing and enforcing those rules coordinate their approaches. The current state of affairs is a complex web of competing priorities where rules aren’t just duplicative but create confusion and contradict one another — the most glaring example being the SEC’s cyber incident disclosure rule that undermines congressionally mandated efforts to improve cyber incident response. Redundant and contradictory regulations strain the teams tasked with defending the nation’s financial system and harm America’s cyber preparedness. Regulators must work together to identify and address this overlap. We thank Congress for prioritizing this important discussion.”

Regulatory compliance occupies a growing percentage of cyber defense teams’ time.

The Department of Homeland Security issued recommendations in late 2023 emphasizing the need to harmonize cyber rules. Its Cyber Incident Reporting Council identified 45 different reporting requirements across the federal government, each with disparate standards and thresholds. Complying with the multitude of cybersecurity requirements, among other legal and regulatory obligations, takes time. According to a recent survey of large financial institutions:

  • Chief Information Security Officers or comparable senior cyber leaders spend between 30 to 50 percent of their time on regulatory compliance matters. 
  • Cyber teams now spend more than 70 percent of their time on the same regulatory compliance activities.

Here are a few solutions to consider.

  1. Explore models for enhanced regulator coordination similar to the Federal Financial Institutions Examination Council. The FFIEC promotes uniform supervision in banking by establishing a forum for the agencies to develop joint standards and limit duplication.
  2. Encourage greater reciprocity among regulators. Reciprocity would allow regulators to rely on one another’s documentation, testing, evaluations and findings and would prevent regulators from needing to recreate the wheel.
  3. Promote common frameworks. Common frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework and the Cyber Risk Institute’s Sector Profile simplify compliance and offer streamlined, scalable resources for managing cyber risk and compliance.

Don’t be like the SEC.

As discussed at a House Subcommittee hearing last month, the SEC’s cyber disclosure rule is regulation gone awry. Forcing a bank to prematurely disclose information about a cyber event, oftentimes before a fix is in place, further endangers the bank, consumers and the broader economy. Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 to improve the speed and efficiency of confidential information sharing. The SEC cyber disclosure rule publicizes vulnerabilities to illicit actors and undermines banks’ ability to work with government partners to resolve the problem and coordinate a response.

Had the SEC considered these critical coordination efforts, they would likely have arrived at a rule that appropriately balanced security and investor transparency. Instead, they find themselves defending a rule widely opposed by industry and lawmakers on both sides of the aisle that is being weaponized by ransomware gangs to further extort American companies.

###

About Bank Policy Institute.

The Bank Policy Institute is a nonpartisan public policy, research and advocacy group that represents universal banks, regional banks and the major foreign banks doing business in the United States. The Institute produces academic research and analysis on regulatory and monetary policy topics, analyzes and comments on proposed regulations, and represents the financial services industry with respect to cybersecurity, fraud, and other information security issues.

Media Contact

Austin Anton
Bank Policy Institute
austin.anton@bpi.com

Media Inquiry

  • This field is for validation purposes and should be left unchanged.