Banks offer cybersecurity advice to government

An influential advocate for banks and financial services on Monday released 10 principles it believes the government should follow when issuing new cybersecurity regulations. 

While a partnership between the government and private industry is important, information sharing should be "limited to cybersecurity purposes," according to the Securities Industry and Financial Markets Association (SIFMA). 


“Cyberattacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats," the group's president and chief executive, Kenneth Bentsen, said in a statement. "We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work.”

The last year has seen a series of high-profile cyberattacks hit U.S. businesses, including one targeting JPMorgan Chase earlier this year that affected 76 million individuals and 7 million small-business accounts. News of the hack first surfaced in August, but the full extent of the damage was not revealed until earlier this month. Hackers accessed the names and contact information of customers, but not account or Social Security numbers.

The principles were issued in a paper by SIFMA on Monday — one in a series of initiatives focused in cybersecurity.

The ten principles provided from the group are included below: 

Principle 1:    The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community

Principle 2:    Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance

Principle 3:    Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical

Principle 4:    Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies

Principle 5:    Agency Guidance Must Consider the Resources of the Firm

Principle 6:    Effective Cybersecurity Guidance is Risk-Based and Threat-Informed

Principle 7:    Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews

Principle 8:    Crisis Response is an Essential Component to an Effective Cybersecurity Program

Principle 9:    Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences

Principle 10:   The Management of Cybersecurity at Critical Third Parties is Essential for Firms