Organizations representing accountants and auditors have made clear to three federal banking regulatory agencies that an effort to enhance cybersecurity risk management standards should focus on best practices but leave the implementation to the finance industry.
The Federal Reserve Board, Office of the Comptroller of the Currency, and the Federal Deposit Insurance Corp. likely will have their hands full in attempting to craft what the agencies refer to as “enhanced cyber risk management standards” for big and interconnected companies and their service providers.
The comment period closed Jan. 17 for the advanced notice of proposed rulemaking issued in October 2016, with 15 organizations offering feedback.
AccountingWEB looked at four of the responses. The gist: Principles and best practices are welcome, but regulators shouldn’t be big-footing companies with rules and requirements.
The regulators’ goal is to increase the “operational resilience of these entities and reduce the impact on the financial system in case of a cyber event.” The standards would be tiered so that organizations critical to the functionality of the financial sector would face the toughest scrutiny.
The target organizations would be those with total consolidated assets of $50 billion or more on an enterprise-wide basis because cyber risks in one part could expose other parts of an organization to harm, the proposal states. And given the asset size, a security breach at one or more of these organizations “could have a significant impact on the safety and soundness of the entity, other financial entities, and the US financial sector,” the agencies say in the proposal.
At the newly created Association of International Certified Professional Accountants, Susan Coffey, CPA, CGMA, executive vice president for public practice, said agility is the order of the day.
“A consistent set of high-level principles or best practices (as opposed to specific, detailed, prescriptive rules or requirements) would keep the focus on agility and responsiveness to an ever-evolving challenge – to stay one step ahead of, not behind, current and future risks,” Coffey said in a prepared statement.
Besides, she added, several voluntary cybersecurity risk management frameworks already exist. And the American Institute of CPAs has developed a reporting framework that complements the others and allows companies to let stakeholders know how they are handling cybersecurity risks.
Similarly, Center for Audit Quality Executive Director Cindy Fornelli stated that all stakeholders in the matter of cybersecurity risk management, including the regulators, are best served when boards of directors are responsible for oversight.
“Each company is unique, and therefore a ‘one-size-fits-all’ approach to cybersecurity risk management would not be sufficiently agile to adapt to the variety of cyber risks each company faces,” she stated. “Accordingly, we believe boards should have flexibility as to how they approach and execute that oversight.”
Fornelli added that the proposal appears to put cybersecurity risk management and assessment of cybersecurity controls onto several functions that operate independently of each other, potentially resulting in “a redundancy of efforts already under the purview of internal audit.”
Likewise, Richard Chambers, president and CEO of the Institute of Internal Auditors (IIA), stated that internal audit is “well-positioned to provide assurance” for what the proposal seeks “as demonstrated by high-performing internal audit functions in the financial industry that already incorporate cyber risk management assessments in their overall audit plans.”
Cyber risks are dynamic and the organizations that would be affected by the proposal are varied in size and role, he said. The standards, therefore, should allow flexibility for developing frameworks.
And because the standards would apply to vendors to financial institutions, the IIA recommends a new type of provider cyber risk management reporting, “as this would greatly reduce the burden on these vendors of having multiple clients conduct individual assessments,” he stated.
The Risk Management Association took the position that enhanced standards don’t go far enough. The finance industry is at a disadvantage because it lacks quick access to the information about cyberthreats that law enforcement has.
“There should be a mechanism to permit the sharing of credible threat intelligence by law enforcement in order for institutions to take such actions as may be necessary to deter the resulting threat,” stated Edward DeMarco Jr., general counsel and regulatory relations director for the Risk Management Association.
Therefore, any standards should be guidance instead of rulemaking, “given the rapid speed by which the industry is changing, the concomitant pressure to innovate, and the evolving nature of cyberthreats, including, but not limited to, the intentions of the actors,” he stated.
The industry “should not move in lockstep to a particular state of readiness which may have the unintended consequence of creating a large scale and common vulnerability which could be exploited by bad actors,” DeMarco stated. “In short, the supervisory community does not want to inadvertently thwart ingenuity and problem-solving brought to bear by diverse industry participants through a prescriptive, by-rote approach to the promulgation of enhanced standards.”