Prescriptive, “Rules-Based” Regulation is Key to Enhancing Cybersecurity in Financial Institutions

There is much debate in the compliance community about the virtues and drawbacks of a “principles-based” versus a “rules-based” regulatory approach in ensuring effective compliance with regulatory obligations. On the one hand, in “principles-based” regulation agencies establish broad but well-articulated principles that a business is expected to follow. There is clarity about the regulatory objective, but not how to design and implement a compliance system that accords with it. Firms can’t second guess regulators and may need to institute more robust systems to withstand supervisory scrutiny. On the other hand, in “rules-based” regulation agencies stipulate in detail what the regulated entity can and cannot do. There is clarity about the compliance process but the regulatory objectives may be ambiguous,[1] providing fertile ground for potential “gaming” of the regulation.

In settling the question on which approach is better it matters what the subject matter of the regulation is. Cybersecurity regulation is a case in point. A prescriptive regulatory approach may be particularly suited to cyber risks, which include common threats and state of the art technologies, and also to financial institutions, which are typically highly interconnected as transactional counterparties and in client-vendor relationships. At some level, “one size fits all” may be a good thing. The nominee for the SEC Chair, Jay Claybrook, has noted the systemic character of cyber risk and that isolated responses may not be effective.

Cybersecurity has become topic du jour. Issues of Russian hacking in the presidential campaign have been raised alongside invasions of government agency servers, the most recent example being WikiLeaks’ public posting on March 7 of internal CIA documents and files revealing that agency’s own hacking tools. These events add to the many recent instances of hacking of bank and other private companies’ IT systems.

In response, financial market regulators are responding to cyber threats by taking a more prescriptive approach to cybersecurity. By and large, existing cybersecurity regulation of capital markets and banking intermediaries has been principles- and standards-based, in the form of examination guidance, rather than prescriptive, rules-based regulation.

The New York State Department of Financial Services (DFS) in 2016 proposed requirements that many banks, insurance companies that do business in the state, and other financial institutions must satisfy. The requirements were revised in response to comment and became effective March 1. The rule requires these firms to maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems. Some key examples of mandatory items:

  • Appointment of a Chief Information Security Officer (CISO), who must annually report to the firm’s board of directors relating to its cybersecurity program and material cybersecurity risks
  • Annual penetration testing and bi-annual vulnerability testing
  • Annual certification of compliance with the regulation by the board chairperson or a senior officer
  • Multi-factor authentication for users externally accessing internal systems unless the CISO has approved use of reasonably equivalent or more secure access controls

To a certain extent the DFS requirements are not onerous in that they incorporate best practices of the finance industry and align with the existing standards. However, the DFS rule mandates compliance with specific requirements, increasing regulatory risk for financial institutions. In addition, the annual certification requirement potentially exposes the individual submitting the certification to personal liability, as discussed in a September 2016 PwC post.

A more prescriptive approach to cybersecurity has just been initiated by the three main federal banking agencies, the Federal Reserve Board, the OCC, and the FDIC (Agencies). The Agencies issued a joint “advance notice of proposed rulemaking” (ANPR) in October 2016, entitled “Enhanced Cyber Risk Management Standards,” that seeks comment on various proposals for potential regulation of cybersecurity in depository institutions and bank holding companies with assets equaling at least $50 billion. The Agencies propose a tiered system that imposes higher requirements for institutions that manage “sector-critical systems,” reflecting the Agencies’ post-crisis focus on systemic risk. An example of a potentially prescriptive provision would require firms to return such systems to operations within two hours of a cyber incident. Among other things, the Agencies also are considering requiring firms to inventory all business assets on an enterprise-wide basis, prioritized according to assets’ criticality to their business functions, the firm’s mission, and financial sector.

Importantly, the Agencies propose incorporating their more prescriptive approach within their established prudential principles-based framework that focuses on corporate governance. To this end, the new regulation would require firms to incorporate cybersecurity risk management within the institution’s existing risk governance structure on an enterprise-wide level, specifically requiring direct board oversight. This approach would combine the advantages of both a rules-based and principles-based approach to cybersecurity. Firms across an industry would be mandated to install specific protective measures, but within an overall system that ensures management accountability for achieving the desired objective.

Note: This blog on the DFS and proposed federal banking cybersecurity regulation is in part an adaptation of material from Chicago-Kent’s online certificate program in Financial Markets Compliance. Click here for more information on this program.

[1] Pascal Frantz et al., Rule vs Principles Based Financial Regulation 1, SSRN publication (Nov. 25, 2014).