Cyberthreats have grown rapidly in frequency and sophistication, and financial institutions are confronted daily with fresh reminders of the nation’s vulnerability to cyberattack, whether from criminals, terrorists, or hostile nation-states. The tactics and strategies of the attackers are growing more sophisticated, requiring prompt, nimble responses from the nation’s critical industries and thoughtful national security policy to assist in that defense effort. Unfortunately, U.S. and global banking regulators – and only banking regulators – are doing more harm than good in this area and need to stop.
Fortunately, a recent presidential commission report has issued a government- and industry-wide set of findings and recommendations for better defending our country against cyberattack. The report singles out financial regulators for criticism, and advises that they conform their regulation and guidance to National Institute of Standards and Technology (NIST) standards rather than duplicating or conflicting with those standards.
Banks Own Cybersecurity Risk
The nation’s banks understand the threats posed by cybersecurity attacks and have every incentive to mount robust defenses to such threats. Regulation is generally most warranted when moral hazard or other perverse incentives could lead banks to engage in activity that is contrary to safety and soundness and their chartered purpose. With cybersecurity, there is no moral hazard or perverse incentive. Banks own the risk associated with cybersecurity attacks and have every incentive to mitigate it.
Accordingly, banks employ tens of thousands of cybersecurity professionals – many of them former members of the intelligence community, law enforcement, or the military and some of the brightest minds in computer science and social engineering. The largest banks have disclosed that they spend $400 million to $500 million on cybersecurity annually. Broad industry collaboration supplements internal efforts with real-time information sharing and threat assessments through entities such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the United States Computer Emergency Readiness Team (US-CERT), cyberattack exercises, and the development of industry best practices and other standards. Those efforts are further enhanced by vital industry consultation with U.S. intelligence and law enforcement agencies that have real cybersecurity experience and expertise. Although the willingness of the government to share classified information has been a long-standing problem, there is still much helpful collaboration going on, both formally and informally.
The Regulatory Tower of Babel
There are three core problems with cybersecurity bank regulations.
First, bank regulatory and supervisory guidance in this area simply adds no value. Bank examiners lack expertise and experience in cyberdefense. Many regulatory and supervisory requirements run counter to best practices or seek to impose a "one-size-fits-all" solution on firms with widely diverse risks and capabilities; none provides useful insights or tools.
Second, cyberdefense is inherently difficult to regulate, because it means fighting on a complex, ever-changing battlefield. One-size-fits-all, static rules are unlikely to add any value, regardless of the expertise of the agency writing them. (Of course, this is why agencies with actual expertise in cybersecurity are loath to write such rules, and the NIST guidance, universally recognized as the state of the art, is far less prescriptive than much banking guidance.)
Third, the sheer number of regulatory and supervisory mandates has become a major resource drain on the cyberdefenses of U.S. banks. Since 2014, U.S. banks have seen issued or proposed at least 43 cybersecurity-related regulations, standards, guidance, examination expectations, and other requirements. Bank examiners often follow up on these issuances to impose additional, varying requirements as supervisory expectations. By one estimate, large multinational banks spend 40% of their cybersecurity efforts demonstrating compliance with regulatory standards. One firm told us it receives a new cybersecurity standard once a week on average.
As an analogy, consider a new National Football League majority owner who made his money in a business far afield from football but always enjoyed watching the games. Recognizing the importance of defense to winning, he drafts policies for his defensive coordinator to use in calling plays. These policies, which he makes public, remain in place for the entire season. Furthermore, given their importance to him, he insists that the defensive coordinator spend halftime and the third quarter of each game meeting with him to discuss whether first-half play calling has been in compliance with his policies. After the first game, his limited partners ask to draft their own set of standards and join the meetings, and he agrees. How would opposing offensive coordinators feel about this arrangement?
Perhaps the way hackers feel about financial regulation of cybersecurity. Although some of the regulatory and supervisory mandates imposed on U.S. banks incorporate a common lexicon and well-regarded cybersecurity frameworks, such as the NIST Framework or the International Organization for Standardization, others are rooted in differing frameworks, standards, and structures offering idiosyncratic terminology, approaches, and language. A partial mapping analysis of the requirements imposed by the current regulatory structure to the NIST Framework appears in Figure 1 and illustrates the extraordinary complexity that has been imposed in this area. (Editor's Note: Figure 1 and the Color Guide are used with the permission of the Financial Services Roundtable and the Financial Services Sector Coordinating Council.)
Because of the current lack of regulatory harmonization and alignment, the complexity of these requirements causes firms to expend substantial cybersecurity resources mapping to and reconciling the differing regulatory approaches. Disparate requirements in structure, language, exam questionnaires, frameworks, and tools actively hinder the ability of firms to identify key issues, evaluate the effectiveness of cybersecurity efforts, and devote maximum resources to actual cyberprotection. As earlier noted, with the multiple layers of cyber initiatives currently on the books and more being issued, some large multinational banks estimate that 40% of their cybersecurity efforts are spent on regulatory compliance. Experienced and knowledgeable cybersecurity resources are scarce in the marketplace – both in the financial sector and in the broader economy – so financial institutions cannot meet this administrative burden by simply investing in an expanded workforce. As a result, precious resources must be directed away from actual cybersecurity protection to compliance, actively hindering the security of the nation’s financial infrastructure. And technologists with the most expertise might reasonably wish to work in industries without regulatory distraction and risk.
With the introduction of a recent advanced notice of proposed rule-making (ANPR) on enhanced cybersecurity standards, the Federal Reserve Board, Office of the Comptroller of the Currency, and Federal Deposit Insurance Corporation took further steps likely to complicate already existing problems. As currently drafted, the ANPR includes 84 proposed standards addressing eight risk categories, all without any analysis of why the current regulatory framework is inadequate or how the proposed additional standards mitigate existing deficiencies. (Note: Indeed, the agencies go out of their way to note that the proposed standards are intended to be additive, not substitutes for existing standards. See ANPR at 74317). Further, many of the standards run counter to best practices and would increase cyberrisk. For example, the proposed standards would do the following:
- Mandate a two-hour or other prescribed recovery time without adequately considering the need for safeguards to ensure that systems are ready for reintroduction.
- Require that firms create a comprehensive list of applications that can run on their environment and that any applications not on this "white list" be automatically removed. This check-the-box approach does not work in a dynamic environment where applications are added and modified on a constant basis, and where an automatic shut-off could create massive operational risks. Responsible firms do manage application inventory, but using a risk-based, flexible approach.
- Make use of a rigid scoring system for assessing the maturity of a program. For example, many regulations and guidelines ask whether a firm maintains an application white list, as described above, rather than allowing for a more holistic, substantive review. This approach likely exists because examiners don’t have the expertise or resources to do the latter. Fail to use a risk-based approach for applying controls – for example, requiring documentation of all internal dependencies rather than just those that materially increase cyberrisk. This leads to a large misallocation of resources.
The agencies’ approach shows a lack of cybersecurity expertise. The people writing the rules and the examiners enforcing them aren’t veterans of the intelligence, law enforcement, or military; they don’t have doctorates in computer science; and they aren’t white hat hackers. They generally have no security clearances, and certainly do not participate in real-time responses to attacks. As a result, the rules are necessarily simplistic and written to favor compliance exercises over active defense.
This tortuous approach to cybersecurity regulation does not stop with the federal financial regulators. The New York State Department of Financial Services has announced through recently enacted regulations that it is "leading the charge to combat the ever-increasing risk of cyber-attacks." This invites the question: Should the New York State Department of Financial Services (or any other state, for that matter) be leading the defense of our nation? The rules require the New York State Department of Financial Services – not, say, the National Security Agency – to be notified within 72 hours of any cybersecurity attack. What productive use would a state financial services regulator make of such information? And what if the banking departments in California and Iowa and Arizona also choose to lead the defense of our nation? No state should be "leading the charge" on cybersecurity; a thoughtful and comprehensive national approach is needed.
A Meaningful Regulatory Cybersecurity Framework
In contrast to the existing regulatory morass is a recent report by the nonpartisan Presidential Commission on Enhancing National Cybersecurity, which proposes thoughtful and innovative solutions. Action Item 1.1.1 begins: "The President should direct senior federal executives to launch a private-public initiative, including provisions to [enable] agile, coordinated responses and mitigation of attacks on the users and the nation’s network infrastructure." The report repeatedly emphasizes the need for a collaborative public-private partnership, not rule-making. It proposes numerous ventures, to be led by NIST or the Department of Homeland Security or the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) – not financial regulators. And it emphasizes the importance of removing obstacles to information sharing, including Freedom of Information Act (FOIA) and state transparency laws, discovery in civil litigation, use in regulatory enforcement investigations or actions, use as record evidence in regulatory rule-making processes, and waiver of attorney-client privilege. Most of these obstacles are created by regulators.
Because these recommendations run counter to the current regulatory trend, the Presidential Commission specifically recommends that regulatory agencies be forced to harmonize existing and future regulations with the Cybersecurity Framework issued in 2014 – with a goal of "reducing industry’s cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation." It notes that "disparate regulations risk redundancy and confusion among regulated parts of our economy." It finds that federal regulators have failed to harmonize their efforts relating to the Cybersecurity Framework, an action called for in Executive Order 13636 but never executed. Indeed, it recommends that the Office of Management and Budget issue a circular that makes the adoption of regulations that depart significantly from the Cybersecurity Framework explicitly subject to its regulatory impact analysis, quantifying the expected costs and benefits of proposed regulations:
[A]n agency that advances an approach which substantially departs from the baseline framework would be required to make the case that its added cost is outweighed by a public benefit. Likewise, to reduce the impact on industry of overlapping and potentially conflicting requirements, it is important that state and local regulatory agencies strongly consider aligning their approaches with the risk management–oriented Cybersecurity Framework.
Consistent with recommendations made in the Commission Report, The Clearing House believes that five key issues must be addressed to ensure a meaningful regulatory approach to cybersecurity.
First, advances in cybersecurity protection should be pursued through public-private collaboration under the guidance of the Department of Homeland Security and not through additional rule-making or guidance from banking regulators. One venue for such a discussion could be a sectorwide group such as the Critical Infrastructure Partnership Advisory Council (CIPAC) Financial Services Sector Cybersecurity Profile Development Working Group. CIPAC was established by the Department of Homeland Security (DHS) to "facilitate interaction between governmental entities and representatives from the community of critical infrastructure owners and operators" on "a broad spectrum of activities to support and coordinate critical infrastructure security and resilience." The use of the CIPAC Working Group for this dialogue would not only enable better coordination with DHS and other federal agencies with real cybersecurity expertise but would also ensure that policies are developed and applied at a national level and that cross-sector dependencies are adequately addressed through DHS’s leadership.
Second, the banking agencies should work with industry and DHS to map, harmonize, and consolidate their existing standards into a single document with established baseline principles and stated goals and must further ensure that such standards do not depart materially from the Cybersecurity Framework. Once consolidated, a gap assessment of existing standards against stated goals could be performed to determine whether there are any gaps warranting further regulatory action. Such consolidated guidance would not only be constructive in simplifying the administrative compliance burden for covered financial institutions – consistent with the recommendations of the presidential commission – but it would also facilitate further discussions, both within the financial sector and with industry and regulators in other agencies, regarding how to strengthen the economy’s cyberresiliency writ large.
Third, the White House and Congress should work together to remove obstacles to information sharing, including regulations that impose obstacles to financial institutions freely sharing information about their risk management practices. The free flow of information on attack vectors, methods, and best practices for defense is one of the most potent weapons the industry has to defend itself. It is unnecessarily impeded by FOIA and state transparency laws, the threat of discovery in civil litigation, use in regulatory enforcement investigations or actions, use as record evidence in regulatory rule-making processes, and the threat by supervisory agencies to force a waiver of attorney-client privileged information. These obstacles need to be removed.
Fourth, the administration must grant banking regulators immunity from blame in the event of a cyberattack. The fear of being hauled before Congress and excoriated provides an incentive for a regulatory crusade that defies federal policy and common sense in order for regulators to point to doing "something" in the face of a threat. Banking regulators should bear no more responsibility if a bank suffers a cyberattack than if it suffers a biological attack, a chemical weapons attack, or a missile attack. The DHS must state unequivocally that defense of our country’s critical infrastructures is its job, not the banking regulators’ job.
Fifth, the administration should issue a rule clearly preempting state regulation in this area. Information technology systems are not amenable to state boundaries, and cybersecurity threats are not local in nature. The threat is national in scope. The response must be equal to the task. A conflicting patchwork of state standards is not the answer.
As a nation, we are currently at a key time in our approach to managing cybersecurity risks. The challenge is complex and constantly changing. Regulations that are compliance-focused and never changing are not the answer. Imagination and cooperation are. The stakes are too high to proceed otherwise.
About the Authors:
Greg Baer is President of The Clearing House Association and Executive Vice President and General Counsel of The Clearing House Payments Company. Prior to joining TCH, Baer was Managing Director and Head of Regulatory Policy at JPMorgan Chase. He previously served as General Counsel for Corporate and Regulatory Law at JPMorgan Chase.
Baer previously served as Deputy General Counsel for Corporate Law at Bank of America, and as a partner at Wilmer, Cutler, Pickering, Hale & Dorr. From 1999 to 2001, Baer served as Assistant Secretary for Financial Institutions at the U.S. Department of the Treasury, after serving as Deputy Assistant Secretary. Prior to working for the Treasury Department, he was managing senior counsel at the Board of Governors of the Federal Reserve System. Baer received his J.D. cum laude from Harvard Law School in 1987. He received his A.B. with honors from the University of North Carolina at Chapel Hill in 1984.
Rob Hunter is Deputy General Counsel and Executive Managing Director at The Clearing House, where he serves as the senior payments lawyer supporting its ACH, wire transfer, and check image payment networks, which clear and settle approximately $2 trillion daily. Hunter is also actively involved in counseling payments executives on numerous industrywide product development initiatives in a variety of payments-related areas, including real-time and faster payments, tokenization, electronic bill payments, medical payments, and other initiatives.
Hunter holds a B.A. degree from Northwestern University and a J.D. degree from the Duke University School of Law. He is a member of the American Bar Association Business Law Section’s Banking Law Committee, where for many years he served as Chair of the Subcommittee on Payments and Electronic Banking.