The U.S. Senate Committee on Homeland Security and Governmental Affairs is hosting a hearing today to examine ways to streamline federal cybersecurity regulations and improve harmonization among the agencies tasked with enforcing these rules. The Bank Policy Institute (BPI) submitted a statement reiterating its recommendations to identify duplicative and conflicting regulatory regimes, establish common frameworks, and promote reciprocity.
Heather Hogsett, senior vice president of technology and risk strategy for BITS, stated: “Regulations are effective when those responsible for developing and enforcing those rules coordinate their approaches. The current state of affairs is a complex web of competing priorities where rules aren’t just duplicative but create confusion and contradict one another — the most glaring example being the SEC’s cyber incident disclosure rule that undermines congressionally mandated efforts to improve cyber incident response. Redundant and contradictory regulations strain the teams tasked with defending the nation’s financial system and harm America’s cyber preparedness. Regulators must work together to identify and address this overlap. We thank Congress for prioritizing this important discussion.”
The Department of Homeland Security issued recommendations in late 2023 emphasizing the need to harmonize cyber rules. Its Cyber Incident Reporting Council identified 45 different reporting requirements across the federal government, each with disparate standards and thresholds. Complying with the multitude of cybersecurity requirements takes time. According to a recent survey of large financial institutions:
- Chief Information Security Officers or comparable senior cyber leaders spend between 30 to 50 percent of their time on regulatory compliance matters.
- Cyber teams now spend more than 70 percent of their time on the same regulatory compliance activities.
Recommendations include exploring models for enhanced regulator coordination similar to the Federal Financial Institutions Examination Council (FFIEC), which promotes uniform supervision in banking by establishing a forum for agencies to develop joint standards and limit duplication.
Additionally, encouraging greater reciprocity among regulators would allow them to rely on one another’s documentation, testing, evaluations, and findings, preventing redundancy.
Promoting common frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework and the Cyber Risk Institute’s Sector Profile can simplify compliance while offering streamlined resources for managing cyber risk.
At a House Subcommittee hearing last month, concerns were raised about the SEC’s cyber disclosure rule being regulation gone awry. Forcing banks to prematurely disclose information about a cyber event often endangers banks, consumers, and the broader economy before fixes are in place. Congress passed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 intending to improve confidential information sharing's speed and efficiency. However, publicizing vulnerabilities through SEC's rule undermines banks' ability to work with government partners effectively.
Had critical coordination efforts been considered by SEC, they might have arrived at a balanced rule addressing both security needs and investor transparency. Instead, they face opposition from industry stakeholders as well as lawmakers from both parties while ransomware gangs exploit these disclosures further.
The Bank Policy Institute is a nonpartisan public policy research group representing universal banks, regional banks, and major foreign banks operating in the United States. It produces academic research on regulatory topics while analyzing proposed regulations related to cybersecurity among other issues.
Austin Anton
Bank Policy Institute
austin.anton@bpi.com