Financial services already being one of America’s most highly regulated industries, recent news that Wall Street’s top trade group was calling for creation of a new inter-agency working group comprised of data security regulators at first seems like an added layer of oversight and perhaps an odd step.
Was the plan set out by the Securities Industry and Financial Markets Association (SIFMA) a reaction to the recent acceleration of nationwide data breaches?
The increasing size of data security breaches was demonstrated by the recent JP Morgan data breach. With some 84 million customer records affected, the severity of the attack was a major wakeup call for the industry, particularly as JP Morgan’s cyberdefenses are considered to be among the finest in the industry.
Citigroup heard a wakeup call of its own. Charles Blauner, a senior Citigroup executive recently characterized the U.S. financial services sector as being “at war” when it comes to cybersecurity. Threats, he explained, emanate not only from the frequent attacks from cybercriminals. Foreign governments and overseas corporations pursue competitive information on client data, capital markets deals and pending acquisitions, seeking competitive advantage.
In addition, with financial services’ globally connected computer networks essential to its operation, the risks of bank disruptions leading to failures and possible systemic industry-wide breakdown raise the risks from cyber attacks to another level.
But are there other forces at work here driving SIFMA’s proposal?
For perspective I turned to financial services industry authority Sean Mahoney, partner in the Boston office of global legal firm K&L Gates, who offered that both internal and external forces were driving the motivation for the industry’s action.
“As an industry organization, SIFMA is representing its member firms’ concerns that, when there is a data breach, the firm is too often viewed by the regulators as a guilty party when in actuality the firm is a victim of malicious action,” Mahoney sad. “The regulators’ attitude can all too often be, ‘You had a breach, therefore you weren’t complying with regulatory standards.”
“It is becoming increasingly clear, not just in financial services but in all major business sectors nationwide that data breaches from cyber malware are a near certainty,” he adds.
“The clarity needed here is several fold. First is for the regulators to share the recognition what we are living in an era where security events are a way of life. Until cyber defense capabilities become more effective, breaches will continue to occur.”
“The second area of clarity is regulators’ acknowledgement that increased emphasis should be given to the financial services organization’s response strategy, i.e., if there is a breach, how quickly and effectively can the organization respond, limiting losses, exterminating the cause of the breach, and properly communicating with customers, partners and regulatory agencies?”
Blauner of Citigroup agrees. “You are going to get hacked. The bad guy will get you. Whether you are viewed as a success by your board of directors is going to depend on your response.”
Mahoney points out that achieving such clarity is more complicated than may be thought, since different regulators have different standards of data security regulatory compliance. “As SIFMA’s proposal states, there is a crying need for greater ‘harmonization’ between regulatory agencies so that the industry’s firms have a consistent set of compliance rules to adhere to.
Thus the interest in a working group of regulators? “Absolutely. SIFMA feels the best way out of the inconsistencies of the multi-regulatory conundrum is collaboration between all parties, regulatory and industry.”
“The industry wants to be compliant and can best do so with a consistent set of rules. It is saying ‘give us a set of standards, steps that will actually work. Then let us implement them and be held accountable.’ The ‘Ten Principles for Effective Cybersecurity Regulatory Guidance’ proposed by the association are meant to provide a framework for this discussion.”
Is expecting to get the many parties involved in financial services data security regulation together behind a united approach for the industry too big a stretch? I ask.
“The stakes for the industry – for the economy – are too high for this not to happen,” Mahoney answers. “Everyone knows effecting these changes will require cooperation. This will be a process, not an event.”