An influential advocate for banks and financial services on Monday released 10 principles it believes the government should follow when issuing new cybersecurity regulations.
While a partnership between the government and private industry is important, information sharing should be “limited to cybersecurity purposes,” according to the Securities Industry and Financial Markets Association (SIFMA).
{mosads}“Cyberattacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats,” the group’s president and chief executive, Kenneth Bentsen, said in a statement. “We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work.”
The last year has seen a series of high-profile cyberattacks hit U.S. businesses, including one targeting JPMorgan Chase earlier this year that affected 76 million individuals and 7 million small-business accounts. News of the hack first surfaced in August, but the full extent of the damage was not revealed until earlier this month. Hackers accessed the names and contact information of customers, but not account or Social Security numbers.
The principles were issued in a paper by SIFMA on Monday — one in a series of initiatives focused in cybersecurity.
The ten principles provided from the group are included below:
Principle 1: The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community
Principle 2: Recognize the Value of Public–Private Collaboration in the Development of Agency Guidance
Principle 3: Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical
Principle 4: Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies
Principle 5: Agency Guidance Must Consider the Resources of the Firm
Principle 6: Effective Cybersecurity Guidance is Risk-Based and Threat-Informed
Principle 7: Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews
Principle 8: Crisis Response is an Essential Component to an Effective Cybersecurity Program
Principle 9: Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms’ Confidences
Principle 10: The Management of Cybersecurity at Critical Third Parties is Essential for Firms