On May 9, 2016, the International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association (comprised of three other industry associations, including the Securities Industry and Financial Markets Association) published a set of common principles to promote effective global policymaking on cybersecurity, data and technology (the Principles). These industry groups are seeking constructive cooperation with regulators on the principles by submitting them to the Financial Stability Board and the International Organization of Securities Commissions (IOSCO).
The Principles follow a report published in April 2016 by IOSCO that provided an overview of some of the different regulatory approaches related to cybersecurity that IOSCO members have implemented and the different practices that market participants have adopted to address cybersecurity issues.
The Principles appear to be an effort by the financial industry to promote greater international coordination among regulators in the ongoing dialogue regarding cybersecurity in the financial sector. For instance, the IOSCO report functioned primarily as a survey of various regulatory approaches in different jurisdictions, with little emphasis on any preferred approach. In contrast, the Principles highlight the crucial issue that effective policy-making requires recognizing that cybersecurity, data protection and technological advancement in the financial sector is an international issue that requires global solutions.
In addition, the Principles encourage global standards and cooperation in order to mitigate the problem of asking international firms with global platforms to comply with conflicting rules in different markets or jurisdictions, which could lead to increased costs of compliance and fragmented technology systems or risk management processes. The Principles also promote rules that go beyond simply assessing whether a particular institution is compliant with a particular standard and instead ensuring that sufficient resources are in place to manage risk and proactively interact with regulators to assess cyber threats and data protection.
Grappling with cybersecurity, data protection and appropriate technology policies remain ongoing projects for banks, asset managers, funds and insurance companies, as well as the regulators of those institutions. The costs related to these projects only increase for financial institutions that report to multiple regulators or operate across national boundaries. Encouraging standard-setting bodies to consider core, transparent policies and to receive meaningful input from market participants may help prevent duplicative or inconsistent standards across regulators.