On October 20, 2014, the Securities Industry and Financial Markets Association (SIFMA) issued guidance intended to protect the financial sector’s data security and infrastructure. SIFMA noted that the SEC, CFTC and other regulatory agencies are conducting a review of their cybersecurity policies, regulations, and guidance with the goal of strengthening the financial sector’s defense and response to cyber attacks, and harmonizing regulations and guidance for greater effectiveness. To facilitate the effort between SIFMA’s members and the regulatory agencies, SIFMA proposed ten cybersecurity principles for effective cybersecurity:
Principle 1: The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community
Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance
Principle 3: Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical
Principle 4: Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies
Principle 5: Agency Guidance Must Consider the Resources of the Firm
Principle 6: Effective Cybersecurity Guidance is Risk-Based and Threat-Informed
Principle 7: Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews
Principle 8: Crisis Response is an Essential Component to an Effective Cybersecurity Program
Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences
Principle 10: The Management of Cybersecurity at Critical Third Parties is Essential for Firms
SIFMA’s principles for effective cybersecurity are based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity issued on February 12, 2014. To encourage adoption of the NIST framework, SIFMA recommends a collaborative approach between its members and regulatory agencies. SIFMA suggested an inter-agency harmonization working group to coordinate a review of cybersecurity regulations and guidance with input from SIFMA members and highlighted the importance of information sharing to improve cybersecurity defenses for the financial services industry.