A chorus of officials and outside experts back harmonizing existing regulations for cyberbreaches, rather than implementing new requirements on businesses, such as financial advisors.
They note how there are already numerous rules, or relevant guidance, in place, and many question why more are needed.
For instance, Andrew Vollmer, a law professor at the University of Virginia and former deputy general counsel at the Securities and Exchange Commission, told ThinkAdvisor that “no strong case for new laws has been made.”
“New laws impose significant costs of compliance, breed false confidence, are rigid, and reduce the flexibility of responding to new forms of attacks,” he cautioned. “A new law is not justified at this time.”
“Laws already exist that make cyber misconduct a federal crime,” Vollmer points out. “Broker-dealers, public companies, and investment advisers are not resisting solutions to the threat of hacking; they are in favor of protecting against cyberintrusions. Cyberintrusions are very costly to businesses. They need cost-effective and workable solutions. If those existed, we have every reason to believe that regulated members of the securities markets would be prepared to adopt them without the compulsion of a law.”
Some pro-consumer advocates would like to see increased cyberrules on businesses, especially after the Equifax breach and similar attacks.
But, in November, Securities Industry and Financial Markets Association (SIFMA) President and CEO Kenneth Bentsen told the House Subcommittee on Financial Institutions and Consumer Credit that he favors “regulatory harmonization.”
“(T)he emergence of many regulations from multiple regulators may lead to a suboptimal balance of industry resources devoted to compliance versus security,” he warned in a statement, adding that “financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities.”
“Enhanced harmonization of regulatory standards and supervision would improve the efficient use of critical cyber resources,” he explained.
His statement comes as, over the past two years, regulators proposed or made final over 30 new cyberrules and regulations applicable to the financial services industry, Bentsen said. “While regulations can help raise expectations and define strong standards for market participants, the volume of regulations have resulted in requirements which are sometime overlapping, duplicative and conflicting,” he said.
Already, specifically for the financial services industry, there are 11 federal agencies that make some form of cybersecurity requirements, according to Bentsen. “This is in addition to individual states’ requirements and those of self-regulatory organizations.… These rules and guidelines are further layered with standards developed by the National Institute of Standards and Technology and the International Organization for Standardization, which guide financial institutions in setting cybersecurity standards and measuring the adequacy of cybersecurity programs,” he added.