Will Cybersecurity Change U.S. Financial Regulation?
OK, so you either didn’t listen/watch President Obama’s State of the Union address last night or you were too busy today to catch more than the headline issues he mentioned having to do with immigration, healthcare, Afghanistan, etc. What I want to focus on are the two relatively small paragraphs that the President mentioned about cybersecurity. (And by the way, if you missed it, you’re not to blame! Cybersecurity wasn’t mentioned until 4,792 words into the speech!)
Here’s the Cliff Notes Version: Basically, the update is that President Obama signed an Executive Order yesterday focusing on improving the protection of our nation’s critical infrastructure. Both this Order, and the fact that he mentioned it in the State of the Union address, clearly point to the fact that cybersecurity is now a key issue attracting significant public attention and government action.
Here are a few additional points which are worth highlighting:
- Coordination: Boy oh boy is there a lot of it. If you’re unfamiliar with the alphabet soup nature of such initiatives, you’ll soon find yourself swimming in acronyms. But the bottom line is that while the press mentions the public-private sector cooperation, a great deal of the coordination appears in fact to be intra-governmental coordination. And if you take a step back, both types of coordination make sense. The private sector is reaching out to the government for assistance and the government itself needs to coordinate, seeing as how the Executive Order touches DHS, OMB, DoD, NIST, most cabinet-level government agencies, and various existing coordination groups. These existing groups include the Critical Infrastructure Partnership Advisory Council that “provides the operational mechanism for carrying out the sector partnership structure” and the Sector Coordinating Councils that are “the principal entity for coordinating with the government on a wide range of critical infrastructure protection activities and issues.”
- Impact on US Financial Regulators & US Consumers: It wouldn’t shock me if some banking regulators will be included in this initiative, since it wouldn’t be a stretch to argue that trading exchanges and financial institutions both fit within the Executive Order’s definition of “national economic security.” Whether or not smaller financial institutions are included is probably a topic for another day, but their service providers could certainly fall within scope. In addition, cybersecurity is now a household topic discussed around the dinner table; as such, it shouldn’t surprise anyone if customers (both organizations and individuals) soon start approaching their financial providers with questions about security, data protection, and the like. Perhaps consumers’ perceptions of security will weigh in on their decisions?
- A Risk-Based Approach: The term “risk-based” is only mentioned three times, but in three very key instances that are worth calling out. First, the standards which will underpin the Cybersecurity Framework at the heart of the Executive Order are to be risk-based as they weave together NIST standards, international standards, and industry best practices. Second, the Executive Order requires that DHS identify the critical infrastructure that “could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security” and to essentially use a risk-based approach in doing so. Third, the agencies related to the Framework are to propose “prioritized, risk-based, efficient, and coordinated actions” meaning that they have to determine what is truly critical to work on and what is merely nice-to-have.
Here’s my $0.02 on what to keep an eye out for in the coming weeks and months; stay tuned regarding:
- What does DHS Secretary Janet Napolitano identify as “critical infrastructure”?
- Will privacy concerns derail this effort altogether or merely slow it down or change its direction?
- Who in the private sector is raising their hand to participate?
- What actually is meant by “Cybersecurity Framework”?