Historically, the government’s approach to defending against cyberattacks in the financial system has been mostly hands-off. They allow the companies to fend for themselves with limited governmental monitoring. They tend to not intervene unless a cybercrime has been committed.
Unfortunately, cybersecurity is a complex issue and regulators tend to be limited in their knowledge and scope. As a result, the regulations they make generally tend to be broad and fairly simple, making the traditional banking regulation process a bad match for tackling cybersecurity.
Fixing the Cyber Issue
The first step is to spend fewer resources pointing out the threat of a cyberattack, and focusing instead on state and federal regulations.
Officials should review the standards that they have put in place before creating new ones. A much easier solution is to adopt the National Institute of Standards and Technology guidelines rather than create new ones. A Presidential commission in 2016 found that these recommendations were sufficient to protect the financial industry against cyber threats.
If government regulators believe any additional guidelines are required, they should put them up for public comment and remove any that are inadequate.
Finally, not only should the banking industry take responsibility for protecting financial services, the government should as well. Financial institutions are regularly audited to ensure they are on top of current regulations. It would be more efficient if this was done by a cybersecurity expert, with backing from the Department of the Treasury’s Office of Critical Infrastructure Protection.
Ultimately, there would have to be some sort of accountability, whether it be a senior official at the Treasury Department or DHS. Whoever the individual is, it would be up to them, not some random regulator, to explain how a cyberattack happened.
This system would allow greater efficiency and mobility in defending against the constantly changing landscape of cybersecurity.