WASHINGTON (Reuters) - Wall Street’s top trade group is calling for the creation of a new inter-agency working group of regulators and the White House that would be tasked with developing consistent cybersecurity rules for the financial industry.
The recommendation by the Securities Industry and Financial Markets Association (SIFMA) was one of several unveiled on Monday as part of a new paper that lays out proposed “principles for effective cybersecurity regulatory guidance.”
The inter-agency harmonization working group could be led by the Office of Management and Budget, SIFMA said, and would be charged with avoiding “unnecessary overlap” and making sure that “any domestic requirements are consistent with international legal obligations”.
“You could have a patchwork ... for a big global bank, of five or six regulators all looking at this from a slightly different perspective, with slightly different guidance or principles of what they think is effective,” Karl Schimmeck, SIFMA’s managing director for financial services operations said in an interview.
SIFMA’s paper comes just a few weeks after JPMorgan Chase & Co shocked Wall Street with revelations that the names, addresses, phone numbers and emails of about 83 million households and small business accounts were compromised by hackers.
Although the cyber attack had been previously disclosed, the bank only recently revealed the extent of the attack, which was considered to be one of the largest data breaches in history.
The group also laid out principles for regulators to consider, saying for instance that regulators should tailor any cybersecurity rules to the size, resources and potential risks of a firm so that the rules are not “one size fits all.”
It also calls for having financial regulators engage in “risk-based” and “value-added” audits as opposed to mere “checklist reviews.”
The U.S. government has been struggling with trying to develop one uniform standard for protecting against cyber threats that retailers and banks face.
Currently, standards for when companies must disclose cyber attacks are governed by a patchwork of state regulations.
Congress has been unable to pass more comprehensive federal laws, and retailers, credit card companies and banks have all argued over who should be responsible for bearing the brunt of the costs in the aftermath of a major cyber breach.
Last Friday, President Barack Obama signed an executive order to beef up security on federal credit and debit cards, and he unveiled efforts by a series of major public companies to follow suit.
Reporting by Sarah N. Lynch; Editing by Nick Zieminski