WASHINGTON — Bankers are praising regulators’ coordinated effort to build a new tool to help banks assess their cybersecurity process, but they hope the agencies will go even further in harmonizing oversight of cyber issues.
The Federal Financial Institutions Examination Council released the tool earlier this year and regulators are also planning to redesign examinations of regulated entities' cyber programs.
"Anytime we can get convergence around a tool we support" that, said Matthew Chung, managing director and chief information officer of technology and information risk at Morgan Stanley, during a conference here Tuesday sponsored by the Securities Industry and Financial Markets Association.
Speaking on the same panel, Gregory Rattray, director of global cyberpartnerships and government strategy at JPMorgan Chase, said that he would like to see the FFIEC cybersecurity framework move forward but that JPMorgan will be in "strong dialogue" with the regulators as they develop the tool further.
"They rightfully said this is new, we want comment. Hopefully we will be work with them going forward and the revision of that is that makes it more effective for both parties," Rattray said.
Chung also said that while the FFIEC coordination was welcomed, the tool still has its flaws.
"We support the strategy but think the implementation needs more refining," Chung said. "I don't think it takes into account residual risk when it tries to calculate inherent risk. It is very binary in nature, which is quite difficult for a global organization to answer those questions in a binary way."
State regulators are also moving ahead on their own new set of requirements. The New York State Department of Financial Services sent a letter on Tuesday announcing it was creating new rules that would address cyber-related issues such as multifactor authentication, third-party management, encryption and breach notification.
"It is our hope that this letter will help spark additional dialogue, collaboration and, ultimately, regulatory convergence among our agencies on new, strong cybersecurity standards for financial institutions," the agency wrote.
The NYDFS mention of third-party service providers highlights an area of increasing concern for regulators as many institutions have chosen to outsource IT functions.
The FFIEC is in the process of developing a cybersecurity assessment tool for third-party service providers similar to the one that was published for banks. Melody Hildebrandt, director of cybersecurity at Palantir Technologies, a software and service company that specializes in data analysis, said during the Sifma conference that some third-party vendors are slacking.
"I don't think we are holding these organizations and tech companies to a high enough standard in terms of the products that they offer," Hildebrandt said. "There will be backlash and some sort of liability standard for those companies" if they don't start "raising their game."
During the conference, Treasury Secretary Jacob Lew acknowledged he was deeply concerned about cyberthreats.
"A day doesn't go by that I don't worry about cybersecurity," he said.
Speaking after Lew, Securities and Exchange Commission Chair Mary Jo White said "there can be no higher priority for public and private sector than the cyberthreats."
Lew reiterated a call on Congress to pass legislation that would facilitate information-sharing between companies about cyberbreaches by providing some liability protections.
"It is an important thing that legislation is passed … that would take down some of the barriers of information sharing," Lew said. "We have done about the extent to what we can do as far as authorizing data sharing."
The House and Senate have both passed information sharing bills, but they still need to negotiate final legislation.