Reg Overload Makes Firms Vulnerable to Cyberattacks
Sifma president and CEO Kenneth Bentsen has appealed to regulators to streamline their cybersecurity oversight of financial services firms. Under the current setup, with multiple rules and guidelines from multiple regulators and agencies, financial services firms are overloaded with compliance requirements that are a huge distraction from their efforts to ward off cyberattacks, he says.
Testifying before the House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit on Wednesday, Bentsen stated cybercrime is now a “bigger criminal enterprise than the global narcotics trade,” and “there is likely no greater threat to financial stability than a large-scale cyberevent.”
Bentsen observes that government, regulators and the financial services industry all agree cybersecurity should be a top priority.
But the solution to the constant threat of cyberattacks “cannot exclusively be more regulations,” he implored.
There have been 30 new cyberrules impacting the financial services industry either passed or proposed in the U.S. and around the world in the past two years, according to Bentsen. These rules are “duplicative, redundant and overlapping” and in some cases, even “conflicting.”
Bentsen says 13 U.S. federal agencies impose some form of cybersecurity requirements on the financial services industry. And that’s on top of requirements from individual states as well as SROs like Finra and the National Futures Association and in addition to guidelines set by the National Institute of Standards and Technology and the International Organization for Standardization.
“We need to find a way for our regulators to come together,” he said. “There’s got to be a better way to do this.”
Bentsen says the many rules from multiple regulators “may lead to a suboptimal balance of industry resources devoted to compliance versus security.”
Because of the current regulatory setup, financial services firms are spending “almost as much time” complying with cyberregulations – around 40% of the time – compared with time spent on cybersecurity.
“In simple terms, financial institutions shouldn’t have to devote limited resources to redundant regulatory and supervisory requirements at the expense of actual security-based activities,” he said.
He suggests regulators establish a unified cybersecurity framework and a common set of rules for the financial services industry, adding cybersecurity standards developed by NIST would be a good basis for this common framework.
The NIST cybersecurity framework provides cybersecurity guidance for private companies to assess and improve their ability to prevent, detect, and respond to cyberattacks. The first version was published in 2014. It includes risk-based guidelines to help organizations identify, implement and improve cybersecurity practices, and creates a common language for cybersecurity issues. A new draft version was circulated in January for public comment.
Bentsen also used the hearing as an opportunity to express his reservations about the Consolidated Audit Trail database to be adopted by the SEC next year.
National securities exchanges, Finra, alternative trading systems and broker-dealers will be required to submit information on trade events, including customers and prices, to the CAT on a daily basis. Large broker-dealers will be required to start submitting information to the CAT by November 15, 2018, while small broker-dealers are expected to do so by November 15, 2019.
Bentsen said the CAT is expected to take in 58 billion records – orders, executions and quotes for the equities and options markets – and maintain data for over 100 million customer accounts and their unique customer information. Within just five years, Sifma thinks the data stored in the CAT will equal more than 10 times the content of all U.S. academic research libraries.
There is tremendous concern and skepticism within the financial services industry regarding the security of the data to be stored in the CAT, Bentsen said. He noted more than 3,000 users will have access to the “sensitive” personally identifiable information (PII) in the CAT and any cybersystem is “only as strong as its weakest link.” Sifma wants assurance the CAT will not introduce new data protection risks to the financial services industry.
Bentsen said the financial services industry’s concerns about the CAT are understandable, given the separate cyberbreaches at the SEC’s Edgar automated document filing system and at Equifax.
The SROs and other users that will have authorized access to the CAT “must have appropriate risk controls in place before the CAT goes live,” he said.
Bentsen said the SEC should also carefully consider exactly what information is needed by financial services firms for storing in the CAT. For example, “if the social security number is not really needed, then firms should not hold it.”
In August the SEC learned that an incident previously detected in 2016 may have provided the basis for illicit gain through trading. The SEC says a software vulnerability in the test filing component of its Edgar automated document filing system was exploited and resulted in access to non-public information. The SEC believes the intrusion did not result in unauthorized access to personally identifiable information, jeopardize the operations of the commission, nor result in systemic risk.
In a Senate Committee on Banking, Housing and Urban Affairs hearing on the oversight of the SEC in September, Rep. Sherrod Brown, D-Ohio, questioned how the SEC can be trusted with sensitive data, given the Edgar cyberbreach and its failure to report the breach in a timely manner.
Equifax, meanwhile, suffered a data breach between mid-May and July, which exposed the personal information of around 146 million consumers, but the credit reporting agency didn’t publicly reveal the breach until early September.
Equifax’s failure to immediately notify authorities and the public about the data breach was a common concern cited by members of the House Financial Services Committee Subcommittee on Financial Institutions and Consumer Credit during this week’s hearing.
When asked for his opinion about this notification failure to the extent that it applies to Sifma’s member firms, Bentsen said cyberbreach notifications should be timely, but not before the full extent of the breach is well-known to the firm involved. Prematurely informing the authorities and the affected parties could lead to its own set of problems, he said.