The US Chamber of Commerce wrote to the Fed, Federal Deposit Insurance Corporation and Office of theComptroller of the Currency regarding proposed rulemaking on Enhanced Cyber Risk Management Standards (ANPR) for financial institutions.
The Chamber wrote, “We agree that large financial institutions should have appropriate cyber risk management programs … Financial institutions have played a leading role in improving our nation’s cybersecurity and are keenly aware of the enormous risks that cyber threats pose to them individually and, by extension, the financial sector, and the broader economy. The agencies should encourage and support those entities’ continued cybersecurity leadership and collaboration by pursuing a flexible and risk-based approach. We consequently write to emphasize three points.”
The Chamber said, “the agencies should encourage continued cybersecurity leadership by the financial services industry; should support the collaborative development of risk-based approaches rather than impose prescriptive requirements; and should pursue regulatory harmonization and avoid creating additional regulatory duplication or confusion.”
“The cybersecurity of the financial services sector will depend upon the risk-based, outcome-focused efforts of financial entities in collaboration with government partners,” the Chamber stated, adding, “Additional standards straying from these principles are likely to inhibit entities’ use of best practices and cooperative sector initiatives, dampening cybersecurity innovation and leadership by financial institutions. The agencies thus should not attempt to impose prescriptive requirements, but support industry efforts to enhance financial sector cybersecurity.”
The Chamber said it is “urging policymakers to help agencies harmonize existing regulations with the NIST Cybersecurity Framework., pointing out that, “The White House Commission on Enhancing National Cybersecurity report, which was released in December, emphasizes that regulatory agencies should harmonize existing and future regulations with the cyber framework to ‘reduce industry’ cost of complying with prescriptive or conflicting regulations that may not aid cybersecurity and may unintentionally discourage rather than incentivize innovation.”