Amid glut of cyber rules, banks launch global tool to assess risks
WASHINGTON — More than 150 banks and many of the world’s largest vendors, working through a collaboration with trade groups, have launched a "best practices" assessment tool for applying cybersecurity regulations globally.
The assessment is voluntary, but institutions such as HSBC and Citigroup are hoping that it can better streamline compliance with international cyber rules.
“We’re in roughly 67 countries and from a regulatory perspective to date for information cybersecurity we’ve identified about 330 regulations around the globe with close to 80 of those just being in the U.S.,” said Ann Lavis, senior vice president, U.S. head of information security risk at HSBC. “The only way we can beat all the threats that are coming in today, and there are going to be so many more coming, is if we start talking more with each other. But we’ve got to have that common framework.”
Bankers argue that each year they are bogged down by hundreds of questions from examiners at various regulatory agencies on cybersecurity risk management that could be streamlined.
In response, the Financial Services Sector Coordinating Council, made up of a handful of global banking trade groups, created a document to help banks and regulators apply a uniform cybersecurity assessment. The FSSCC estimates a community bank could reduce the number of regulatory questions it must answer on cybersecurity by as much as 73% using the new assessment document.
“There is no greater threat to financial stability than a large-scale cyber event, and robust public private partnerships are the most effective way to manage cyber threats,” said Tom Wagner, managing director at SIFMA and vice chair of the FSSCC, in a press release. “The financial services industry is constantly working to improve cyber defenses, resiliency and recovery through massive monetary investment in technology and personnel, regular training, best practices development, and industry tests.”
The trade groups involved in the initiative include the American Bankers Association, the Bank Policy Institute and the Institute of International Bankers.
Federal regulators speaking at the launch event Thursday said are not requiring banks to use the new cybersecurity assessment, but said it can be used as a voluntary tool for managing cyber risk.
“The Fed is in favor of any approach that helps strengthen the cybersecurity results in the financial sector,” said Julia Philipp, senior supervisory financial analyst at the Federal Reserve Board. “While we’re not going to mandate the use of a profile, we welcome any financial institution to provide information to us using the structure and taxonomy of the profile; and we have instructed our examiners that we are going to ask questions. We’ll ask questions and we will convey responses to institutions that chose to use the profile in a manner that is consistent with the profile.”
Regulators agreed that the effectiveness of the standard and whether examiners will begin using it depends on how well and how broadly banks employ it.
“We are absolutely neutral to the format or framework that an institutions chooses to use,” said Kevin Greenfield, director for bank information technology at the Office of the Comptroller of the Currency. “If the industry moves to use this cybersecurity profile, that is what we will base our assessments on but really each institution should use the format that it feels best meets its needs.”
Major third-party vendors including FIS and transaction processor, the DTCC (Depository Trust & Clearing Corp.) are also participating in the new standard to have more consistent cybersecurity risk management with partnering banks.
“What really drew us to this initiative is that we are examined by 20,0000 clients who are examined by regulators across the globe” and “thousands of questionnaires come in . . . and one regulator says it this way and another regulator says it that way,” said Kara Hill, chief information security officer at FIS based in Jacksonville, Fla. “That’s what drew us to this. It’s to say let’s all get on the same page with taxonomy, with the same definitions, the same process to assess this and cut through that confusion.”
The FSSCC said the assessment is just an initial version and will be built out as more questions and events occur in cybersecurity.
“The cybersecurity profile represents the industry’s commitment to working together to preserve the safety and soundness of the financial system by mitigating and protecting its institutions, their customers and the broader economy from increasing cybersecurity risks,” said Chris Freeney, president of BPI’s tech policy subdivision called BITS and policy committee co-chair of the FSSCC, in a press release. “The cybersecurity profile is a first of its kind document that will help the industry harmonize its approach to cybersecurity risk management.”