ABA, BPI urge federal coordination in cybersecurity regulation

Regulators should coordinate with each other to lessen the effect of overlapping requirements as they consider harmonizing federal regulations governing cybersecurity, the American Bankers Association and the Bank Policy Institute said today in a joint letter to the White House’s Office of the National Cyber Director.

In July, the office requested information about the challenges stemming from overlapping cybersecurity regulations as well as proposals for a framework under which regulators could accept other regulators’ recognition of compliance with baseline requirements. ABA and BPI said in their letter that the cybersecurity requirements for financial institutions are not directly duplicative due to slight variations in regulators’ authorities, but they usually apply to the same sets of activities, policies and procedures within firms. “The collective effect of supervision and oversight can cause significant strain on firms’ personnel, resources and ability to focus on innovation and keeping up with dynamic threats,” the associations said.

ABA and BPI recommended that regulators have practical experience and subject matter expertise, as effective oversight “requires that agency staff be well-versed in the industries they regulate.” The associations also said that common standards and frameworks support effective risk management and supervision, and that increased regulatory reciprocity will help cyber professionals keep pace with rapidly evolving threats. And they noted that financial institutions have complied with a myriad of security, privacy, operational resilience and third-party risk management requirements for decades.

“The current regulatory landscape for financial institutions—with significant overlap among multiple regulators—imposes significant costs with limited risk reduction benefits,” ABA and BPI said. “Efforts to streamline and deconflict existing requirements will help cyber professionals spend more time addressing the critical threats facing their organizations.”