More rules may not be the best answer to protecting the financial system against cyber attacks, a Federal Reserve official said.
“I don’t think the solution to the cybersecurity problem rests in regulation,” Arthur Lindo, senior associate director of the Fed’s division of supervision and regulation, said Monday at a banking conference in New York. “We’re going to try a more flexible approach.”
The Fed and other regulators issued a notice of proposed rulemaking on cyber risk management standards last year, which is typically followed by a prospective rule. After the industry and others involved in computer security discouraged regulators from creating a standard, they decided not to proceed, Lindo said.
See also: The next big cyberattack could turn America’s lights off
Lindo’s comments come weeks after Equifax Inc. announced a massive consumer data breach that led to the theft of personal information of more than 145 million people. Lawmakers including Idaho Republican Mike Crapo, head of the Senate Banking Committee, have asked the Fed and other regulators whether they need more authority to help ensure credit bureaus adequately protect consumers’ information in the wake of the attack.
There are already lots of rules and regulations that banks and other financial institutions have to follow when it comes to cybersecurity. Several lenders and trade groups collected all U.S. and global guidance documents, regulatory requirements and recent proposals on cybersecurity into a “financial sector profile,” said JPMorgan Chase & Co.’s Kevin Gronberg, who was also on the panel. It ended up being a 2,000-line spreadsheet showing a lot of overlap between rules and demands from different regulators, Gronberg said.
“We tried to put it all into a common language, so we can reply with the same answer when we get the same questions from different regulators,” said Gronberg, vice president of global cyber partnerships.