WASHINGTON — Cybersecurity enforcement efforts need to be better coordinated across government agencies, financial industry groups said in a letter Friday to the National Institute of Standards and Technology.
"The lack of harmonization and alignment" among regulators is "causing firms to expend substantial resources reconciling unique, and often competing, examination questionnaires, frameworks, and tools," said Rich Baich, the head of the Financial Services Sector Coordinating Council. "To improve the national cybersecurity posture, the use, promotion, and establishment of a common cybersecurity lexicon and framework is crucial."
In its letter, the FSSCC, a cybersecurity coalition comprising industry groups such as the American Bankers Association and Independent Community Bankers of America, responded to a call for comments from the NIST to provide recommendations to the Commission on Enhancing National Cybersecurity, an advisory body established in February by President Obama.
Baich said he supported the NIST's cybersecurity framework, a baseline standard for "critical infrastructure" sector companies that was first released in February 2014. But he added that a number federal and state agencies and regulators in charge of the financial services industry had since then issued their own frameworks separate from the NIST's.
"Although some of these cyber initiatives have incorporated the NIST Cybersecurity Framework's structure and terminology, others have not done so, opting for differing framework approaches and language," Baich said. "With these disparate approaches in structure and language, the ability of firms to contextualize key issues and appropriately evaluate the effectiveness of internal and external cybersecurity efforts have been negatively impacted."
Baich pointed to an example of "one multinational financial services firm" that reported spending 40% of its funds dedicated to cybersecurity on "reconciliation and compliance, not on actual cybersecurity activity."
"This overlap has directed limited resources to creating single-use, compliance data sets, rather than expanding active security and mitigation," Baich said.
In his letter, Baich also asked regulators to implement risk-based approaches in cybersecurity that could target certain emerging industries, such as internet-connected devices. "The federal government should appropriately fund research and development initiatives that not only identify these emerging technology issues, but also the risks posed and potential solution sets to mitigate these risks," he said.
In addition, the FSSCC advocated for the creation of a "lifeline" sector, which would place energy, telecommunications, and financial services above the 16 "critical infrastructure" sectors identified by the government. This new subset "should make [these sectors] eligible to receive enhanced government assistance and support, such as supplementary intelligence, prioritization in emergencies, and additional liability protections," Baich said.