Banking Groups Hail New Federal Cybersecurity Steps

WASHINGTON — Banking industry representatives praised voluntary cybersecurity guidelines released Wednesday that come as lawmakers mull improvements to data safeguards in the wake of breaches at Target and other stores.

The National Institute of Standards and Technology finalized a framework to help guide industries as they improve their cybersecurity efforts. The high-level document is meant to assist organizations set and pursue goals for cybersecurity risk management in a cost-effective way without adding new regulatory burden.

Banking groups hailed the release of the new principles, which had stemmed from a 2013 Obama administration executive order calling for steps to improve the cybersecurity of "critical infrastructure."

"The framework reflects existing regulations and practices within the financial services sector. It also provides important direction to the public sector on improving cybersecurity soundness and ultimately the safety of our nation's critical infrastructure," said Frank Keating, the president of the American Bankers Association, in a press release.

"Banks and other financial services companies have made cybersecurity a top priority and are subject to the most stringent regulatory requirements. We have put in place the highest level of security among critical sectors, and become a role model sector for cooperation, effectiveness and security."

The framework, which was developed in consultation with multiple industries, establishes a "core" set of activities and goals that are common across sectors for improving cybersecurity. Yet the agency, which is part of the Commerce Department, said the document is more the start of a process to develop model cybersecurity programs rather that the completion. NIST called the framework "Version 1.0", describing it as a "living" document that will be revised.

The agency also released a companion "roadmap" identifying specific areas for cybersecurity improvements to be addressed in future iterations, including authentication mechanisms, cybersecurity workforce needs and technical privacy standards.

"The framework provides a consensus description of what's needed for a comprehensive cybersecurity program," said Patrick D. Gallagher, the undersecretary of Commerce for standards and technology and director of NIST, in a press release. "It reflects the efforts of a broad range of industries that see the value of and need for improving cybersecurity and lowering risk. It will help companies prove to themselves and their stakeholders that good cybersecurity is good business."

The document comes as Capitol Hill looks more seriously at data security legislation following the theft of personal data from as many as 110 million customers using credit cards at Target stores around the holidays. That cyber-attack was followed by reported breaches at Neiman Marcus and Michaels. Among ideas being discussed are clearer steps for consumers to be notified of a data breach as well as banks' adoption of newer "chip and PIN" security technology for payment cards.

"As our nation faces growing cybersecurity risks, today's report comes at a crucial time and will help the public and private sectors address these challenges," the Independent Community Bankers of America said in a press release.

Tim Pawlenty, chief executive of the Financial Services Roundtable and a former Minnesota governor, praised the inclusion of privacy concerns in the document.

"FSR applauds NIST's important effort on the framework and we were proud to have been involved," Pawlenty said in a press release. "We were pleased to see NIST included our priorities around robust privacy protections for consumers. We look forward to working with Congress on cyber threat information sharing to ensure our industry's customers are ultimately protected."