SIFMA Publishes Recommendations for Cybersecurity Regulatory Guidance

SIFMA published a paper titled "Principles for Effective Cybersecurity Regulatory Guidance."

The paper outlines ten principles that can serve as a framework for "robust and efficient" cybersecurity guidance:

• Principle 1: The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community;
• Principle 2: Recognize the Value of Public-Private Collaboration in the Development of Agency Guidance;
• Principle 3: Compliance with Cybersecurity Agency Guidance Must Be Flexible, Scalable and Practical;
• Principle 4: Financial Services Cybersecurity Guidance Should Be Harmonized across Agencies;
• Principle 5: Agency Guidance Must Consider the Resources of the Firm;
• Principle 6: Effective Cybersecurity Guidance Is Risk-Based and Threat-Informed;
• Principle 7: Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews;
• Principle 8: Crisis Response Is an Essential Component to an Effective Cybersecurity Program;
• Principle 9: Information Sharing Is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms' Confidences; and
• Principle 10: The Management of Cybersecurity at Critical Third Parties Is Essential for Firms.

The principles, according to SIFMA, are designed to facilitate "next steps" to build upon and "solidify" a collaborative approach to cybersecurity in order to enhance efforts to combat cyber threats.

See: Principles for Effective Cybersecurity Regulatory Guidance.