17 May, 2016
A group of trade bodies representing businesses from across the financial services sector has called on regulators and standards-setting bodies to ensure that measures they draw up to enhance cybersecurity are technologically neutral.
The bodies have drawn up new international cybersecurity, data and technology principles (4-page / 19KB PDF) that they hope the Financial Stability Board (FSB) and the International Organization of Securities Commissions (IOSCO) will consider when setting "policies and standards regarding cybersecurity, data and technology".
In their paper the Asia Securities Industry & Financial Markets Association (ASIFMA), European Banking Federation (EBF), International Swaps and Derivatives Association (ISDA) and Securities Industry & Financial Markets Association (SIFMA) said "cybersecurity threats, risks, and the technology that mitigate them shift faster than regulations and standards can respond" and that this needs to be reflected in standard-setting and the formulation of regulations.
"We encourage proactive interaction between governments, regulators, and industry participants," the bodies said. "Policies that require specific technology requirements, detailed technical reviews or other processes by regulators will be reactive to the threat environment and to adversaries that seek to take advantage of vulnerabilities."
"In addition, embedded regulations and prescriptive standards can become quickly outdated as cyber risks and the technology that addresses them evolve. This fast-changing threat environment, coupled with rigid technology solutions, can create obstacles to protecting financial institutions and their clients. As policymakers in a number of markets have already recognised, effective regulations go beyond assessing whether an institution is compliant with a particular standard and instead ensure that sufficient people, processes and technology are in place to manage risks," they said.
One of the principles developed by the bodies calls for recognition to be given to the view that there is "no one-size-fits-all approach to cybersecurity" and for regulations to enable cybersecurity programs that are "risk-based, threat-informed, and based on the size, scope, function and business model of the entity being regulated".
"The best approach for developing technology policies is open and transparent formulation and implementation, which allows stakeholders to provide meaningful input to regulators," the bodies said. "This helps ensure that the resulting regulations are effective, compatible with global norms, and unlikely to cause unintended consequences. In particular, effective prudential frameworks and policies must allow companies to conduct their own risk assessments and determine what technology best meets their security needs."
For further information, please contact:
David Rennick, Partner, Pinsent Masons
david.rennick@pinsentmasons.com