BPI Supports the Streamlining Federal Cybersecurity Regulations Act

Dear Chairman Peters and Senator Lankford:

As Congress considers ways to harmonize cybersecurity regulations, the Bank Policy Institute writes to express our support for S. 4630, the Streamlining Federal Cybersecurity Regulations Act. Given the proliferation of cyber regulatory requirements that increasingly overlap or conflict with each other and divert attention away from keeping pace with cyber threats, we commend your leadership and attention to addressing the critical need for increased harmonization.

Within the financial sector, multiple agencies have overlapping cybersecurity regulatory and supervisory requirements on topics including information security, cyber risk management, incident reporting, governance, third-party oversight, and operational resilience. The collective effect of these requirements introduces significant operational strain and diverts front-line cybersecurity personnel from the day-to-day security activities necessary to protect their organizations from increasingly sophisticated cyber adversaries. In a recent survey of financial institutions, several firms reported their cyber teams spend more than 70 percent of their time on regulatory compliance activities, while the Chief Information Security Officers at those firms spend between 30 to 50 percent of their time on those same compliance matters. Diverting finite cyber resources in this way leaves less time for risk mitigation efforts and more strategic security initiatives to fortify defenses over the long term. Without increased coordination among regulatory agencies, financial institutions will be less well-positioned to keep pace with evolving cyber threats.

The Streamlining Federal Cybersecurity Regulations Act would mark an important first step toward aligning unnecessarily duplicative or divergent cyber regulatory requirements. The Office of the National Cyber Director (ONCD) is ideally suited to lead a Harmonization Committee and the development of a framework for achieving harmonization between regulatory agencies given its government-wide remit and previous work on this topic. We appreciate the legislation's requirement that all agencies-including independent regulators- consult with the Harmonization Committee before prescribing any cybersecurity regulation, which will help minimize duplicative or unhelpful requirements in the future. Moreover, the reciprocal compliance mechanism to be established as part of the harmonization framework appropriately recognizes the role regulatory agencies play in promoting sound cybersecurity practices while also acknowledging that cyber professionals need sufficient time for critical security activities.

Thank you for your leadership on this important issue as insufficiently harmonized cyber regulatory requirements are a long-standing challenge for financial institutions. We look forward to working with you on the advancement of this legislation and identifying a more balanced approach to cybersecurity regulation.

Sincerely,

Bank Policy Institute

cc:

The Honorable Rand Paul
Ranking Member
Homeland Security & Governmental Affairs Committee
U.S. Senate