Worldwide: Financial Industry Associations Recommend Adoption Of Global And Preventative Cybersecurity Policy

ISDA, SIFMA, Asia SIFMA ("ASIFMA") and the European Banking Association ("EBA") (collectively, "the Associations") outlined a set of principles that they deemed "essential" to the formation of effective cybersecurity, data and technology policies. The Associations submitted these principles to the Financial Stability Board and IOSCO for review.

The Associations identified "two crucial issues that must be recognized before effective policymaking can be established": (i) cybersecurity, data protection and technological advancement are international issues that require global solutions, and (ii) cybersecurity threats, risks and technological advances shift faster than regulations and standards can respond.

The Associations asserted that the purpose of effective regulation is to ensure that enough people, processes and technologies are in place to manage risks. They concluded that effective prudential frameworks and policies must permit companies to conduct their own risk assessments and determine which kinds of technology are best at meeting their respective security needs.

Commentary

The Associations recognized that (i) the regulators tend to know less materially than the industry about cybersecurity, and (ii) industry participants have every incentive to improve their cybersecurity defenses. The philosophical question presented is whether the regulators can resist the temptation to adopt prescriptive rules. Such rules are more likely to impede the work that firms do than they are to be useful.

To find examples of overly prescriptive rules, one only has to review Dodd-Frank's rules on risk management, which require completely unrelated types of risk to be reported to the same manager, even though doing so runs contrary to the operations of any rationally managed business. The end result is that firms are burdened with two types of reporting lines: one for the real and reasonable world, and one that must meet prescriptive regulatory requirements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.