Why More Cybercrime Regulations Just Aren’t Needed
To combat cybercrime in the financial services industry, regulators should focus on harmonizing existing regulations rather than introducing new ones, industry experts tell ThinkAdvisor.
New rules add to compliance costs, instill false confidence and constrain a firm’s ability to respond to new types of cyberattacks, Andrew Vollmer, a law professor at the University of Virginia and former deputy general counsel at the SEC, tells the publication. There’s simply no justification for new regulations currently, he says. Meanwhile, “hodgepodge rules” result in weak enforcement mechanisms, Howard Yu, a professor at Swiss business school IMD, tells ThinkAdvisor.
Already there are 11 separate federal agencies with cybersecurity rules aimed at the financial services industry, on top of whatever self-regulatory organizations and state regulators require, Sifma president and CEO Kenneth Bentsen told the House Subcommittee on Financial Institutions and Consumer Credit last month, according to the publication. The various rules sometimes overlap or conflict with each other, and what’s needed now is “enhanced harmonization” of the various standards, he said at the time.
SEC chairman Jay Clayton shares the concern about the number of regulators issuing cybersecurity rules, the publication writes. In September, he told the Senate Committee on Banking, Housing and Urban Affairs that the commission is working with other financial regulators to improve how they gather information and react to threats, as well as to “harmonize regulatory approaches,” according to ThinkAdvisor.
But experts disagree on which regulator should take up the reins in drafting and enforcing cybersecurity regulations, the publication writes. The SEC certainly has good knowledge of financial advisors’ preparedness for cyberattacks, Tamar Frankel, a professor at Boston University School of Law, tells ThinkAdvisor. But Vollmer tells the publication the SEC only has “a partial and limited view.” He suggests the Department of Homeland Security could head up the initiative, if it were needed, according to ThinkAdvisor. Yu, meanwhile, believes no single agency will be able to issue cyberregulations alone, and enforcement in particular would require “extensive collaboration,” he tells the publication.