On October 20, 2014, the Securities Industry and Financial Markets Association (SIFMA) issued guidance intended to protect the financial sector’s data security and infrastructure. SIFMA noted that the SEC, CFTC and other regulatory agencies are conducting a review of their cybersecurity policies, regulations, and guidance with the goal of strengthening the financial sector’s defense and response to cyber attacks, and harmonizing regulations and guidance for greater effectiveness. To facilitate the effort between SIFMA’s members and the regulatory agencies, SIFMA proposed ten cybersecurity principles for effective cybersecurity:

Principle 1: The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community

Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance

Principle 3: Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical

Principle 4: Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies

Principle 5: Agency Guidance Must Consider the Resources of the Firm

Principle 6: Effective Cybersecurity Guidance is Risk-Based and Threat-Informed

Principle 7: Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews

Principle 8: Crisis Response is an Essential Component to an Effective Cybersecurity Program

Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences

Principle 10: The Management of Cybersecurity at Critical Third Parties is Essential for Firms

SIFMA’s principles for effective cybersecurity are based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity issued on February 12, 2014. To encourage adoption of the NIST framework, SIFMA recommends a collaborative approach between its members and regulatory agencies. SIFMA suggested an inter-agency harmonization working group to coordinate a review of cybersecurity regulations and guidance with input from SIFMA members and highlighted the importance of information sharing to improve cybersecurity defenses for the financial services industry.