A consortium of financial industry associations—The International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association (which includes the Securities Industry and Financial Markets Association among its members)—has published a set of common principles to promote effective global policymaking on cyber-security, data, and technology. The industry groups are seeking constructive cooperation with regulators on the principles by submitting them to the Financial Stability Board and the International Organization of Securities Commissions.
“Grappling with cyber-security, data protection and appropriate technology policies remain ongoing projects for banks, asset managers, funds and insurance companies, as well as the regulators of those institutions,” a statement from the groups says. “The costs related to these projects only increase for financial institutions that report to multiple regulators or operate across national boundaries. Encouraging standard-setting bodies to consider core, transparent policies and to receive meaningful input from market participants may help prevent duplicative or inconsistent standards across regulators.”
The principles follow a report published in April 2016 by IOSCO that provided an overview of the different regulatory approaches related to cyber-security that its members have implemented and the different practices that market participants have adopted to address cyber-security issues. The report functioned primarily as a survey of various regulatory approaches in different jurisdictions, with little emphasis on any preferred approach. In contrast, the newly agreed upon principles highlight “the crucial issue that effective policy-making requires, recognizing that cyber-security, data protection and technological advancement in the financial sector is an international issue that requires global solutions.”
The document also encourages global standards and cooperation in order to mitigate the problem of asking international firms with global platforms to comply with conflicting rules in different markets or jurisdictions, which could lead to increased costs of compliance and fragmented technology systems or risk management processes. It also advocates for rules that go beyond simply assessing whether a particular institution is compliant with a particular standard and instead ensuring that sufficient resources are in place to manage risk and proactively interact with regulators to assess cyber-threats and data protection.