The U.S. Chamber of Commerce is urging federal banking regulators to avoid imposing “prescriptive cybersecurity standards” on the financial sector and instead support such entities adopting a “risk-based” approach to address their unique threats.
In its Jan. 18 comment letter, Chamber told the Federal Reserve Board, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency that imposing prescriptive cybersecurity standards on financial sector entities “would lead to standards that may become rapidly obsolete, an emphasis on compliance rather than security, and the potential undermining of existing public-private collaboration to mitigate cyber threats.”
The three agencies issued proposed joint standards last October that would apply to depository institutions and depository institution holding companies with assets of $50 billion or more, U.S. operations of foreign banking organizations with U.S. assets of $50 billion or more, and financial market infrastructure companies and nonbank financial companies supervised by the Federal Reserve.
The enhanced standards would not apply to community banks. Comments were due by Jan. 17.
The Chamber noted in its comment letter that while the agencies “have identified cybersecurity measures that may make sense for some financial institutions,” the Chamber is “concerned that we face a possible tipping point in the wrong direction in the financial services industry.”
The agencies’ proposed Enhanced Cyber Risk Management Standards “comes in the context of a misguided rulemaking by the New York State Department of Financial Services and a request for comment by the Federal Trade Commission on possible amendments to the Safeguards Rule,” the Chamber wrote, urging the agencies “not to create momentum for an effort to regulate away cyber risk. Such an approach would be a mistake: there is no regulatory silver bullet for cybersecurity.”