The nation's biggest banks have a message for the government on efforts to bolster cybersecurity protections: We're already facing plenty of standards.
Owners of financial networks already are subject to a series of laws and regulations that govern their efforts to safeguard their networks against unauthorized intrusions, the Financial Services Sector Coordinating Council said in comments filed Tuesday with the National Institute of Standards and Technology.
Efforts by NIST to fortify the nation's cyber defenses should augment current efforts by the financial industry, according to JPMorgan Chase (JPM), Bank of America (BAC), Citigroup (NYSE:C), Wells Fargo (WFC), Fannie Mae, MasterCard (MA), PayPal, Visa (NYSE:V) and roughly 45 other companies, exchanges, coordinating groups and trade associations that signed on to the council's comments.
The council was among dozens of commenters who weighed in by Tuesday's deadline from NIST for input on digital security risks and practices for addressing them. Commenters included companies that serve the financial industry's information technology needs, including PricewaterhouseCoopers, Microsoft (MSFT), Verizon (VZ), Cisco (CSCO) and Mandiant, a digital security firm.
An order issued by President Obama in February gives the government eight months to delineate a preliminary framework that addresses risks to the nation's energy grid, financial networks and other critical infrastructure. Congress also is expected to take up legislation that aims to bolster the nation's cyber defenses.
The effort follows a series of cyberattacks since September that have slowed online sites and inconvenienced customers of at least 13 financial institutions, some of which have been struck repeatedly. JPMorgan, Bank of America, Citigroup and Wells Fargo all have weathered the onslaughts.
In February, Mandiant reported that hackers backed by the Chinese military have stolen business secrets from hundreds of companies in the U.S. and abroad.
In a letter to the NIST, Charles Blauner, the council's chairman, said the financial industry, "working in close cooperation with federal banking, law enforcement and other agencies, has a long history of facing cyber threats and, in response, has developed strong data security controls, protocols, procedures and business standards."
"Accordingly, FSSCC urges NIST to heed the significant work that U.S. financial services institutions and their regulatory agencies have done to ensure that its cybersecurity framework does not impede the on-going, well-functioning public and private sector partnerships that the financial services industry has developed," Blauner added.
The comments themselves address a series of 33 questions by NIST that cover current risk management practices, standards and guidelines, and specific industry practices. The institute asked companies to detail what they see as challenges in improving digital security practices, how commenters define cybersecurity risk, and the extent to which firms incorporate such risks into companywide management.
The council said its members maintain a series of controls, techniques and practices for managing cybersecurity across their institutions. Though approaches vary, most members situate functions that manage cyber risks in varied information security, technology or operations departments that have varied connections to members' chief executives or boards of directors.
Standards that govern cybersecurity come from the Federal Financial Institutions Examination Council, the Sarbanes-Oxley Act and the Gramm-Leach-Bliley Act, as well as a patchwork of federal and state laws, regulations and domestic and international standards that govern activities ranging from securing data to responding to disasters.
Be the first to comment on this post using the section below.