Organizations representing accountants and auditors are joining the pushback against proposed new federal cybersecurity rules for the largest banks from the three top U.S. financial services’ regulators.
The Association of International Certified Professional Accountants, the Center for Audit Quality and the Institute of Internal Auditors have all submitted public comments within the last week about the planned rulemaking by the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation.
The agencies last year published a joint advanced notice of proposed rulemaking, or ANPR, soliciting industry input about a plan to impose special cybersecurity risk management requirements on the nation’s largest banks and their most important third-party service providers like the Depository Trust and Clearing Corporation, or the Automated Clearing House.
The three accountancy organizations all argue that any regulatory action should be restricted to establishing high-level principles or flexible frameworks — eschewing specific or prescriptive rules which might be duplicative and could become quickly outdated as hacker threats evolve.
“Due to the dynamic nature of cyber risks, as well as the varied size and industry role of certain covered entities, any standards resulting from the new rulemaking should permit flexibility for developing frameworks that would allow allocation of resources to effectively address areas of higher risk,” writes Richard Chambers, president and CEO of the Institute of Internal Auditors. The institute is a global professional association with 185,000 members.
His letter is the shortest and most supportive, backing at least one proposal — the integration of cyber risk management into the “three lines of defense” model — that the Center for Audit Quality opposes.
“We believe that the regulatory community can best serve the public interest and national security by coordinating to establish and implement common, overarching principles related to cybersecurity risk management,” writes Susan Coffey, executive vice president for public practice at the Association of International Certified Professional Accountants, in her letter.
“A consistent set of high-level principles or best practices (as opposed to specific, detailed, prescriptive rules or requirements), would keep the focus on agility and responsiveness to an ever-evolving challenge, to stay one step ahead of, not behind, current and future risks,” continues the Coffey letter. The association is a joint venture of two of the largest professional accountancy groups, the American Institute of Certified Public Accountants and the Chartered Institute of Management Accountants.
The association goes out of its way to oppose any regulatory mandate for cybersecurity assessments. “The decision to undergo an independent cybersecurity risk management examination should be market driven and voluntary, resting with the board and management of each company, and not be dictated by a government regulation or mandate,” writes Coffey.
An issue all three letters raise is the need to ensure regulations are harmonized to avoid duplicative or conflicting requirements.
“One goal of the agencies should be to align and focus the range of response to cybersecurity risks — and to avoid exacerbating compliance efforts with yet another layer of prescribed activities,” writes Cynthia Fornelli, executive director of the Center for Audit Quality.
“As written, the ANPR runs the risk of establishing yet another framework in a long line of prescriptive policies that have emerged domestically and internationally,” she adds.
The accountants’ concerns echo those raised by other commenters, most notably the U.S. Chamber of Commerce, in a letter also sent last week.
The joint ANPR is open for public comment until Feb. 17.