Banks Recommend Office of the National Cyber Director Harmonize Cyber Regulations
Washington D.C. – The Bank Policy Institute and American Bankers Association today made recommendations to the Office of the National Cyber Director in response to its effort to harmonize cyber regulations under the National Cybersecurity Strategy. Unlike other industries, financial institutions are subject to multiple regulators exercising authority on a litany of complex and overlapping regulations. The letter summarizes these existing obligations and recommends a balanced approach to compliance that would help cybersecurity professionals focus on their critical operational responsibilities.
“Overlapping and redundant compliance requirements divert resources that could otherwise be used to protect against future threats,” the groups stated. “Greater coordination among all financial regulators and with industry are prerequisites to a more secure sector, and the optimal way to get there is to assess existing requirements and unify around common goals and standards creating a more streamlined and efficient regulatory process.”
The groups specifically call on the ONCD to prioritize the following as it assesses cyber requirements across all sectors:
- Improve coordination: Regulators should coordinate with each other to lessen the effect of overlapping requirements.
- Increase subject matter expertise. Regulators should understand the industries they regulate and have practical and subject matter expertise.
- Promote common standards. Common standards and frameworks enable firms to prioritize resources and allocate investments, facilitating effective risk management and supervision.
- Increase regulatory reciprocity. Regulators should accept the reports, findings and test results of other regulators and not require firms to demonstrate compliance with the same or substantially similar requirements.
What’s the background?
The White House Office of the National Cyber Director issued a request for information on July 19, 2023, to solicit comments from industry. These recommendations will contribute to the ONCD’s effort to coordinate cybersecurity regulation and strategy across the broader economy.
As highlighted in a recent report by the Department of Homeland Security, financial institutions comply with more cyber incident reporting requirements than any other industry. Obligations for the financial sector extend beyond incident reporting and include requirements for cyber incident disclosure, consumer breach notification, operational resilience and data privacy and security. For example, these requirements are enforced by the prudential banking regulators, the Department of Treasury, CISA, CFTC, CFPB, FTC, SEC and NYDFS.
- Cyber Incident Reporting for Critical Infrastructure Act
- Gramm-Leach-Bliley Act
- FFIEC IT Examination Handbook
- Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers
- SEC Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure
- The Fair Credit Reporting Act
- Right to Financial Privacy Act
- National Association of Insurance Commissioners (NAIC) Model Law
- State Data Breach Notification Requirements
Financial institutions must also comply with laws in other jurisdictions, such as the European Union General Data Protection Regulation (GDPR) and the European Union NIS Directive 1.0, which oftentimes affect U.S. business practices.
Identifying these requirements and minimizing potential overlap will allow banks to better respond to immediate threats and adapt to rapid technological change on the horizon.
To access a copy of the letter, please click here.
About Bank Policy Institute.
The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.
About the American Bankers Association.
The American Bankers Association is the voice of the nation’s $23.5 trillion banking industry, which is composed of small, regional and large banks that together employ more than 2.1 million people, safeguard $18.6 trillion in deposits and extend $12.3 trillion in loans.
Bank Policy Institute
American Bankers Association