Cybersecurity: The New Financial Regulatory Reform
While the SEC and CFTC may be stalled in completing new regulations of the financial sector, the Obama Administration is moving ahead full-force, introducing a Cybersecurity Proposal that could mean changes for the financial sector.
As it stands, there are 48 different state cybersecurity statutes, making it difficult for large, national and international firms to navigate the complex regulatory structure, particularly when state statutes conflict. The Administration’s proposal would create a single, national cybersecurity and data breach notification standard, which many companies say will make compliance easier.
Not so for financial firms, however. The majority of existing state statutes exempt financial firms, leaving the industry to be governed by its own best practices and agency guidance. Under the proposal, many financial firms will be designated covered critical infrastructure, and thus subject to additional regulations and oversight in the interest of protecting national economic security. These entities will be required to establish and submit cybersecurity and risk mitigation plans, and will be subject to period evaluations by the Department of Homeland Security (DHS).
The financial services industry has come out largely in support of the measure, saying that a national standard will simplify compliance and codify the efforts that financial firms are already making, though it has called for more sector-specific regulation by individual agencies, rather than by DHS.
House Republicans have come out strongly against the proposal. During a hearing last month, House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Chairman Bob Goodlatte (R-VA) said mandatory federal standards are unrealistic given how quickly technology advances and cybersecurity needs change. Rep. Darrell Issa (R-CA) expressed concerns that the “voluntary” information-sharing described in the bill isn’t truly voluntary when the federal government has the ability to “make life miserable for private-sector companies.” The Administration counters that the proposal takes a “light touch” when regulating privately-owned critical infrastructure. Senate Republicans have yet to weigh in, and it is unclear how active they will be on this issue, when not a single Republican Senator attended Wednesday’s Senate Banking Committee Hearing on Data Security in the Financial Sector.