US trade body calls for ‘harmonised’ cyber security regulations in financial sector

Out-Law News | 23 Oct 2014 | 11:56 am | 1 min. read

New proposals designed to boost oversight of cyber security measures by regulators in the US have been published by the country’s Securities Industry and Financial Markets Association (Sifma).

Sifma, a US industry trade group which represents securities firms, banks and asset managers, said its recommendations (11-page / 332 KB PDF) aim to help regulators “as they move forward with plans to review, update and harmonise their cyber security policies, regulations, and guidance”, to strengthen the financial sector's defence and response to cyber attacks.

Sifma said its members “believe there is an opportunity to enhance regulatory guidance beyond existing requirements to improve the protection of the financial sector, and that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal”.

One of Sifma’s recommendations, referred to as ‘principles’, is the setting up of “an inter-agency harmonisation working group” to coordinate a review of cyber security regulations and “ensure consistency and receive private sector input”.

“Industry looks to the government to help identify uniform standards, promote accountability across the entire critical infrastructure, and provide access to essential information. Likewise, government depends upon industry to implement reform and collaborate on identifying risks and providing effective solutions,” Sifma said.

Technology law expert Luke Scanlon of Pinsent Masons, the law firm behind Out-Law.com, said: “Sifma’s principles provide some basic building blocks on which organisations can build effective cyber strategies that marry up regulatory language with technical and commercial considerations and also promote collaborative engagement on the issue. As Sifma has taken a principle-based approach rather than a prescriptive one, its principles help organisations avoid the unnecessary compliance risk of relying on specific standard-based compliance regimes, which may or may not reflect industry best practice or may do so for only a certain period of time, but fail to be flexible enough to account for the ever-changing cyber threat landscape.”

Scanlon said: “For cyber security measures to be effective there needs to be consistency between the language used by regulators, commercial decision makers within organisations and also technical staff. The greater the risk in breakdown of language the more critical a cyber failure could prove to be in terms of damage caused, whether that be financial or reputational for an organisation or its customers.”

Last year, the US National Institute of Standards and Technology (NIST) published a draft cyber security framework for businesses operating in the telecoms, energy, transport and other critical infrastructure industries.

The framework encouraged businesses to understand the risks to their systems, data, assets and capabilities and then put in place "appropriate safeguards" to ensure they can deliver critical infrastructure services. The framework also required businesses to be able to detect attacks to their systems and outlined how they should respond to and recover from cyber security events.