Jason Harrell, DTCC Executive Director, Technology Risk Management & Head of Business and Government Cybersecurity Partnerships.
Resiliency has rapidly moved up industry and regulatory agendas as the threat of material disruption within the financial services sector (“sector”), including the continued growth of cyber threats, has moved from unlikely to inevitable. Resiliency is the practices and disciplines that enable firms to provide products and services to the marketplace in the face of potentially disruptive events, regardless of the nature or origin of such events, by anticipating, preventing, recovering from, and adapting to such events.
Most organizations have committed significant resources to implementing strong cybersecurity controls that integrate new techniques and existing technologies with the more established risk management methods. However, these controls form only part of what is necessary to achieve a robust level of resiliency, due to the complexity of the marketplace, the connectedness driven by new market entrants, the digitalization of financial services, and the increased activity of well-funded, malicious threat actors.
Regulators and standard setting bodies (SSBs) continue to elevate their interest in this area. Many firms have adopted standards in the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF), a collection of cybersecurity best practices and evaluation criteria. The NIST framework has become a key benchmark of a successful cybersecurity program. Leveraging the NIST CSF, the sector can also identify priority areas for improvement based on the expected level of control by the organization.
Building upon the NIST CSF, the Financial Services Sector Coordinating Council (FSSCC), a public-private partnership designed to protect the sector from cyber-attacks, recently introduced the Cybersecurity Profile. The Profile, developed in partnership with regulatory agencies, integrates supervisory expectations to help financial institutions demonstrate compliance with cyber risk management requirements. The Profile is a good example of a successful partnership between supervisors and the sector to decrease regulatory compliance costs, provide a means to measure each firm’s cybersecurity programs across the sector based on their size and criticality, and redeploy saved resources to protecting the organization.
Led by the Bank of England, the Prudential Regulation Authority, and the Financial Conduct Authority, who published a joint discussion paper detailing their collective views on what would be required to enhance an organization’s resiliency and the steps supervisors should take to support the sector, market supervisors have also begun to focus on resiliency. Additionally, action has been taken to strengthen resiliency across the EU, with ESMA evaluating the need for industry guidelines.
As the regulatory landscape continues to evolve, it is possible for different sets of regulatory guidelines to emerge, which make compliance difficult – and sometimes, impossible – for firms operating globally. To achieve regulatory consistency, regional supervisors should review existing international guidance and partner with the sector to coordinate resiliency-related requirements and outline how firms could meet them. Several frameworks, including the FSSCC Cybersecurity Profile, already exist in the marketplace and could build the foundation for a collaborative, global regulatory effort.
Equally important to a firm’s ability to improve resiliency is its ability to collaborate across the sector to share information, understand risks, identify new threats and develop coordinated responses between organizations. The Financial Systemic Analysis and Resiliency Center (FSARC), a partnership between the sector, the U.S. government, and other key sector partners, provides a controlled environment where the participants can securely collaborate. These collaborations strengthen the sector defenses and increases its ability to consistently provide products and services to the marketplace.
These public-private collaborations also enhance market access on a global basis. The interconnectedness of the sector increases access to financial services, enhances customer experience, and promotes financial literacy. These benefits require a network of services that spans across borders and regulatory jurisdictions. The coordination of regulatory guidance and the ability to share differing levels of information through public-private partnerships are critical to providing consumer-centric environment and building further resiliency across the sector.
This article first appeared in RegTech Insight on September 19, 2019.