WASHINGTON — Big banks have a simple message to regulators seeking to create new cybersecurity standards: We're way ahead of you.
A broad range of industry players are panning an October proposal by bank regulators that would impose new cybersecurity requirements on systemically important financial institutions, arguing they will only slow down industry efforts to keep systems secure.
“No one disputes that cybersecurity is enormously important,” said Douglas E. Phillips, senior vice president and general counsel at Promontory Interfinancial Network, a third-party service provider. “It does not follow, however, that more cybersecurity regulation would mean better cybersecurity. Even if one assumes that, in general, regulation is a good thing, too much of a good thing often causes harm.”
In comment letters to the agencies, industry groups argued that the proposal — which would target financial institutions with assets of $50 billion or more — would hamper their efforts to improve their defenses and muddle pre-existing regulatory requirements.
Many of the groups called instead for the agencies to create a harmonized, risk-based approach.
“Diversity of size, charter, holding company structure, geography, and business model is a distinct feature of the American financial services sector,” said Rich Baich, chairman of the Financial Services Sector Coordinating Council, a group that facilitates communication on cybersecurity incidents between large financial institutions. “Entities should have governance structures consistent with their business needs and overall risk management strategies.”
Several renewed calls to create more consistency across the different cybersecurity standards they are already subject to, either through the Gramm-Leach-Bliley Act, the Federal Financial Institutions Examination Council’s cybersecurity assessment tool or a number of individual agency letters such as the Office of the Comptroller of the Currency’s third-party risk management guidance.
The Electronic Transactions Association “respectfully requests that the agencies place this effort on hold, and work with the appropriate government and industry groups to harmonize existing cybersecurity rules,” said Scott Talbott, the group’s senior vice president of government affairs.
Since 2014, regulators — either at the state, federal or international level — and industry bodies have “issued or proposed 43 differing cybersecurity frameworks, questionnaires, rules, and requirements applicable to the financial services sector," Baich wrote.
Others suggested that in keeping with President Trump’s recent executive order to strike down two rules for every new one passed, the agencies should proceed with caution.
Though the measure does not directly affect the regulators, as independent agencies, “we assume that the agencies, consistent with past practice, intend to adhere to its principles,” Phillips said.
Financial institutions also suggested many of the cybersecurity proposal’s features would be counterproductive to their ongoing work to protect their systems.
For example, several objected to a proposed two-hour window for financial institutions to resume critical operations after a major incident.
Richard Foster, senior counsel at the Financial Services Roundtable, and Christopher F. Feeney, the president of the group's policy division, BITS, said that rushing could lead to even worse mistakes.
“There will also be instances where increased assurance is needed before rushing a system back into operation," Foster and Feeney said. "Haste can generate new vulnerabilities and propagate existing threats, creating new victims on top of the original ones, re-victimizing original targets, and risking the destruction of evidence critical to improving future cyber resiliency and assisting law enforcement in pursuing those responsible for the attack.”
In addition, several groups said they are already working on some provisions included in the proposal, such as developing a way to standardize financial records to ensure they can be backed up in the event that one financial institution loses access.
“The industry is moving forward with a voluntary effort to create the capability to preserve critical records in case of a cyber event and to enhance resiliency for financial institutions’ customer accounts and data,” the American Bankers Association, the Securities Industry and Financial Markets Association (Sifma) and the Institute of International Bankers said in a joint letter.
“Given the complexity of this undertaking," they added, "we request that the agencies not impose specific requirements for the offline storage and restoration of critical records until the industry has more fully developed a practical way to conform with such a requirement.”
The letter was signed by Doug Johnson, a senior vice president at the ABA; Thomas M. Wagner, managing director at Sifma; and Richard Coffman, general counsel at the Institute of International Bankers.
But one major question posed by the regulators split the financial services industry between third-party service providers and banks.
While banks and their partners agree that third-party service providers shouldn't be covered under any enhanced requirements, they disagree over who should pay the cost of that compliance if regulators do apply it to them.
“Applying the [proposal’s] standards to third-party service providers would impose unwarranted costs on all types of banking organizations, including community banks,” said Phillips at Promontory, which has also faced five examinations since 2010 as a service provider, according to the letter.
Phillips said that those partner firms could face overlapping requirements due to their work with a variety of financial institutions.
“A service provider would be subjected to the [enhanced] standards on the basis of the tiers occupied by the entities it served," he said, "and if it served entities in more than one tier, the service provider would become subject to multiple different sets of standards.”
Some fintech players raised fears that the cybersecurity plan could result in banks cutting off their access to their customers’ financial data.
The Consumer Financial Data Rights Group worried the new standards “will be used to justify the refusal by covered financial institutions to connect to third parties that refuse to assume the compliance burden of becoming service providers to those institutions,” the group said in its comment letter.
“Indeed, the Enhanced Standards could even create criminal liability for third parties,” said the CFDR, which comprises Affirm, Betterment, Envestnet and Kabbage.
Banks said that if they were held responsible for imposing higher standards on their third-party providers, they would have to waste tremendous resources in the process.
“Financial institutions contract with hundreds, if not thousands, of third-party vendors for a variety of services,” Foster and Feeney said. “Requiring financial institutions to audit each and every one of these vendors … would not only strain the resources of the covered entities themselves, but also the vendors, as many of them contract with multiple financial institutions.”
Ultimately, it could cost banks some vendor relationships, they added. “There is often minimal leverage for the negotiation of vendor contracts, particularly with respect to larger (and potentially more secure) third-party vendors, such as Amazon or Microsoft.”
But if regulators imposed direct oversight over these companies, this might also hamper competition among providers, others said.
“Direct application of heightened standards to such critical service providers may assist financial institutions in prioritizing their resources based upon cyber risk to the entity,” said the ABA’s Johnson, Wagner at Sifma and Coffman at the international bankers group.
“But the potential benefits should be considered in light of competing considerations, including the impact of such regulation on innovation, cost, technical flexibility, and the efficiency of decentralized risk management.”
Meanwhile, Fiserv, one of the largest core processing companies for banks, argued that having regulators impose these standards directly on the providers could create competitive issues.
“As a general matter," Fiserv wrote, "applying rules directly to the service provider and examining the service provider's interpretation and implementation of those rules very well could generate industry conflict and friction, rather than much-needed alignment and collaboration."