Regulators risk doing more harm than good with cyber rules
Every day seemingly brings a fresh reminder of the nation's vulnerability to cyberattack, whether from criminals, terrorists or hostile nation-states. A recent report by the nonpartisan Presidential Commission on Enhancing National Cybersecurity details those threats, and proposes thoughtful and innovative solutions to the next administration. The report also illustrates how U.S. and global banking regulators are doing more harm than good in this area, and need to stand down.
The nation's banks understand the existential threat posed by cyberattacks. They employ tens of thousands of cybersecurity professionals — many of them former members of the intelligence community, law enforcement or the military, as well as some of the brightest minds in computer science and social engineering. The largest banks have disclosed that they spend $400 million to $600 million annually on cyberdefense.
These firms are also at the forefront of private-sector-driven initiatives to meet the threat. Over 7,000 financial services firms now share real-time threat information and analysis through the Financial Services Information Sharing and Analysis Center (FS/ISAC). (Disclosure: I was a co-founder of the FS/ISAC in 1999, while serving as the Treasury Department lead for critical infrastructure protection.)
Large financial institutions increasingly share information with law enforcement and intelligence agencies that can be helpful in cyberdefense. While the willingness of the government to share classified information has been a perennial problem, there is still helpful public-private collaboration going on both formally and informally.
On an entirely different track, though, U.S. and global regulators have announced a series of new or pending regulations dictating how banks should manage this risk. There is every reason to conclude that their rules will do more harm than good. First, the banking agencies have little cyberexpertise. Examiners generally have no security clearances, and certainly do not participate in real-time responses to attacks. So it should surprise no one that the rules they draft in this area are simplistic and written in one size to fit all.
Second, they are writing static rules to govern an incredibly dynamic, hostile battlefield. And common rules can provide a roadmap to those looking to penetrate bank systems.
Finally, the rules are frequently conflicting or overlapping, and require firms to misallocate extraordinary time and resources to writing policies and procedures, documenting compliance with them, and defending that process to auditors and examiners, rather than frequently updating their strategies to meet changing threats. Bank regulators also are proposing rules that diverge both in lexicon and approach from the National Institute of Standards and Technology's cybersecurity framework issued in 2014 and updated through constructive public-private sector collaboration.
Compare this regulatory morass to the report of the presidential cybersecurity commission. Action Item 1.1.1 begins: "The President should direct senior federal executives to launch a private-public initiative, including provisions to [enable] agile, coordinated responses and mitigation of attacks on the users and the nation's network infrastructure." The report repeatedly emphasizes the need for collaborative public-private partnership, not rulemaking. It proposes numerous ventures — to be led by NIST or the Department of Homeland Security or the Industrial Control Systems Cyber Emergency Response Team — not financial regulators. And it emphasizes the importance of removing obstacles to information-sharing, including Freedom of Information Act and state transparency laws, discovery in civil litigation, use in regulatory enforcement investigations or actions, use as record evidence in regulatory rulemaking processes, and waiver of attorney-client privilege. Most of those obstacles are created by regulators.
Because these recommendations run exactly counter to the current regulatory trend, the commission specifically recommends that regulatory agencies be forced to harmonize existing and future regulations with the NIST's Cybersecurity Framework issued in 2014 — with a goal of "reducing industry's cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation." It notes that "disparate regulations risk redundancy and confusion among regulated parts of our economy." It finds that federal regulators have failed to harmonize their efforts relating to the framework, an action called for in Executive Order 13636 but never executed. Indeed, the commission recommends that the Office of Management and Budget issue a circular that makes the adoption of regulations that depart significantly from the NIST framework explicitly subject to a regulatory impact analysis, quantifying the expected costs and benefits of proposed regulations.
One can only wonder why banking regulators are so engaged on a regulatory crusade that defies federal policy and common sense. One possible explanation: If a bank falls victim to a cyberattack, history teaches that the banking regulators will be hauled before Congress and excoriated. And their answer must then be, "We issued regulations."
The goals of state regulators are harder to divine. The New York State Department of Financial Services has announced that through recently proposed regulations, it is "leading the nation in taking decisive action to protect our consumers and our financial system from serious economic harm." One could reasonably ask: Should the New York State Department of Financial Services be leading the defense of our nation against this key national security threat? The department's proposed rules would require it — not, say, the National Security Agency — to be notified within 72 hours of a cyberattack. What productive use would a state financial services regulator make of such information? And what if the banking departments in California and Iowa and Arizona also decide to lead the defense of our nation?
The good news is that the solution to this problem is abundantly clear. As part of its cyberstrategy, the incoming administration must grant bank regulators immunity from blame in the event of a cyberattack. Banking regulators should bear no more responsibility if a bank suffers a cyberattack than if it suffers a biological attack or a chemical weapons attack or a missile attack. The administration should also issue a rule clearly pre-empting state regulation in this area.
Regulation, like nature, abhors a vacuum. As the commission report wisely recommends, the incoming administration should clearly and definitively assign responsibility and accountability for defending the financial services sector to those agencies in government with the knowledge, expertise and authority to assist in that defense. Agility and innovation: in. Static rules and box checking: out. The threat is simply too serious to do it any other way.
Greg Baer is president of The Clearing House Association.