A chorus of officials and outside experts back harmonizing existing regulations for cyberbreaches, rather than implementing new requirements on businesses, such as financial advisors.
They note how there are already numerous rules, or relevant guidance, in place, and many question why more are needed.
For instance, Andrew Vollmer, a law professor at the University of Virginia and former deputy general counsel at the Securities and Exchange Commission, told ThinkAdvisor that “no strong case for new laws has been made.”
“New laws impose significant costs of compliance, breed false confidence, are rigid, and reduce the flexibility of responding to new forms of attacks,” he cautioned. “A new law is not justified at this time.”
“Laws already exist that make cyber misconduct a federal crime,” Vollmer points out. “Broker-dealers, public companies, and investment advisers are not resisting solutions to the threat of hacking; they are in favor of protecting against cyberintrusions. Cyberintrusions are very costly to businesses. They need cost-effective and workable solutions. If those existed, we have every reason to believe that regulated members of the securities markets would be prepared to adopt them without the compulsion of a law.”
Some pro-consumer advocates would like to see increased cyberrules on businesses, especially after the Equifax breach and similar attacks.
But, in November, Securities Industry and Financial Markets Association (SIFMA) President and CEO Kenneth Bentsen told the House Subcommittee on Financial Institutions and Consumer Credit that he favors “regulatory harmonization.”
“(T)he emergence of many regulations from multiple regulators may lead to a suboptimal balance of industry resources devoted to compliance versus security,” he warned in a statement, adding that “financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities.”
“Enhanced harmonization of regulatory standards and supervision would improve the efficient use of critical cyber resources,” he explained.
His statement comes as, over the past two years, regulators proposed or made final over 30 new cyberrules and regulations applicable to the financial services industry, Bentsen said. “While regulations can help raise expectations and define strong standards for market participants, the volume of regulations have resulted in requirements which are sometime overlapping, duplicative and conflicting,” he said.
Already, specifically for the financial services industry, there are 11 federal agencies that make some form of cybersecurity requirements, according to Bentsen. “This is in addition to individual states’ requirements and those of self-regulatory organizations.… These rules and guidelines are further layered with standards developed by the National Institute of Standards and Technology and the International Organization for Standardization, which guide financial institutions in setting cybersecurity standards and measuring the adequacy of cybersecurity programs,” he added.
Even SEC Chair Jay Clayton noted how his commission is working on harmonization. “The SEC is … working closely with fellow financial regulators to improve our ability to receive critical information and alerts, react to cyber threats and harmonize regulatory approaches,” Clayton testified in September before the Senate Committee on Banking, Housing and Urban Affairs.
Some outside experts share the concern. “The problem of hodgepodge rules is very real,” Howard Yu, a professor at IMD, told ThinkAdvisor. “The basic problem is that it leads to weak enforcement mechanism. Not only the legal framework may lack consistencies, it would also cause unnecessary complexity. Once complexity increases, loopholes can easily be exploited by industries.”
Still, another issue is that cyberattacks are a constantly evolving threat and often need tailored responses involving multiple jurisdictions. In response, Yu agrees that “the development of cyber issues is so rapid. There are too many unknowns. It would be impossible to lay down all the guidelines once and for all.”
Even if there were agreement on what form new cyberbreach regulations would take, there is still the issue of which agency should take the lead on crafting and enforcing the rules. Experts gave differing opinions on the SEC’s possible role.
“No single agency would be able to single-handedly define cyberrules going forward,” Yu said. “The U.S. Securities and Exchange Commission would be a natural candidate to govern cybersecurity related to financial transactions…. However, financial transactions are only one facet that faces the threat of cyber-attack. And in terms of law enforcement, the scope of such operation would demand extensive collaboration.”
Also, Vollmer cautions that the SEC “could adopt a rule applicable only to certain types of persons — broker-dealers, investment advisers, investment companies, transfer agents, and the like.”
“The SEC has developed some experience and knowledge about computer and internet risks and abuses, but it has only a partial and limited view of the problem,” he added.
Moreover, Tamar Frankel, a professor at Boston University School of Law, could see the SEC being given a dominant role in enacting any new laws as they apply to financial advisors.
“The SEC … is familiar with the strengths and weaknesses of financial advisers and would know the context in which they operate and create, or, are subject to the danger of cyber-attacks,” Frankel said.
Perhaps, the Department of Homeland Security could take the lead role – if such a move were needed, Vollmer said.