Securities Industry and Financial Markets Association (SIFMA) publishes recommendations for effective cybersecurity regulatory guidance 

SIFMA has published its “Principles for Effective Cybersecurity Regulatory Guidance,” that provides regulators with SIFMA members’ insight on productive ways to harmonize and create effective cybersecurity regulatory guidance. SIFMA’s goal is to promote a collaborative approach to cybersecurity that can foster innovation and strengthen efforts to protect financial industry operations and most importantly our clients. This paper is one in a series of initiatives undertaken by SIFMA focused on enhancing the industry’s cybersecurity preparedness and practices.

Cybersecurity is a top priority for the financial services industry, which is dedicating significant resources to protect the integrity of the markets and the millions of Americans who use financial services every day. Effective and consistent regulatory guidance is a critical component of the broader cyber defense effort, as it promotes best practices and accountability across the financial sector,” said Kenneth E. Bentsen, Jr., SIFMA president & CEO.

Cyber attacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats. We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work

Specifically, SIFMA’s paper outlines ten foundational principles that can serve as a framework for robust and efficient cybersecurity guidance. SIFMA’s recommendations are meant to help regulators as they move forward with plans to review, update and harmonize their cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector’s defense and response to cyber attacks.

SIFMA members believe there is an opportunity to enhance regulatory guidance beyond existing requirements to improve the protection of the financial sector, and that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal. The benefits of this partnership approach led to the development of the NIST Cybersecurity Framework, which SIFMA is actively promoting within its membership and encourages regulators to use as a universal structure that can be leveraged as a starting point for creating a unified approach to cybersecurity.

Importantly, SIFMA’s paper notes that harmonization of regulatory guidance across agencies and across borders is essential to avoid confusion in the industry and the duplication of efforts. SIFMA recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.

SIFMA’s ten principles are:

Principle 1:  The U.S. government has a significant role and responsibility in protecting the business community

Principle 2:  Recognize the value of public-private collaboration in the development of agency guidance

Principle 3:  Compliance with Cybersecurity agency guidance must be flexible, scalable and practical

Principle 4:  Financial services Cybersecurity guidance should be harmonized across agencies

Principle 5:  Agency guidance must consider the resources of the firm

Principle 6:  Effective Cybersecurity guidance is risk-based and threat-informed

Principle 7:  Financial regulators should engage in risk-based, value-add audits instead of checklist reviews

Principle 8:  Crisis response is an essential component to an effective Cybersecurity program

Principle 9:  Information sharing is foundational to protection, must be limited to Cybersecurity purposes, and must respect firms’ confidences

Principle 10:  The management of Cybersecurity at critical third parties is essential for firms

A full copy of SIFMA’s “Principles for Effective Cybersecurity Guidance,” can be found here.