When it comes to cybersecurity, the less regulatory intrusion the better, an advocacy group for large banks argued in a report Friday.
In the report, The Clearing House said that overlapping layers of regulation, guidance and laws that establish cybersecurity requirements for the financial industry are only hurting banks' efforts to deal with cyberthreats. Since 2014, U.S. banks have been subject to at least 43 new cybersecurity-related policy requirements, according to the report, which will appear in the group's latest quarterly journal.
“With cybersecurity, there is no moral hazard or perverse incentive,” wrote Greg Baer, the president of The Clearing House, and Rob Hunter, the group's deputy general counsel. “Banks own the risk associated with cybersecurity attacks and have every incentive to mitigate it.”
Baer and Hunter argue that the agencies' approach "shows a lack of cybersecurity expertise" and that rules are "written to favor compliance over active defense." They were particularly critical of a proposal from the Federal Reserve, Federal Deposit Insurance Corp. and Office of the Comptroller of the Currency that would impose enhanced cybersecurity requirements on large financial institutions and large third-party providers.
They also argued that the cost of compliance is diverting resources away from cybersecurity protection and "actively hindering the security of the nation’s financial infrastructure,” Baer and Hunter wrote.
“U.S. and global banking regulators — and only banking regulators — are doing more harm than good in this area and need to stop,” they added.
In addition, The Clearing House said that the New York State Department of Financial Services overstepped its authority with its cybersecurity rule that took effect in March.
“Should the New York State Department of Financial Services (or any other state, for that matter) be leading the defense of our nation?” the authors wrote.
The Clearing House praised a December report by the Presidential Commission on Enhancing National Cybersecurity, which stressed the need for public-private efforts on cybersecurity.
The report made five recommendations to regulators to improve the cybersecurity defenses of the financial industry. It advocated for enabling public-private partnerships led by the Department of Homeland Security and for the agencies to consolidate all their guidance and rules into one single set of principles. It also said banks should be granted immunity from blame in the event of a cyberattack, and called for removing laws or rules that block financial institutions from sharing threat information with each other and for imposing federal preemption over state laws on matters of cybersecurity.
In May, President Trump signed an executive order calling for the heads of government agencies to ensure their own organizations follow the National Institute of Standards and Technology's cybersecurity framework. Several defense agencies were also ordered to issue recommendations on how to improve cybersecurity standards among critical industries, including financial services. The recommendations are due in November.