Philadelphia, PA (January 17, 2017) —
The Risk Management Association, a recognized thought
leader in the field of operational risk management, including cyber risk and
third party management risk, filed a comment letter last week with U.S.
financial regulators regarding their jointly issued advanced notice of proposed
rulemaking (ANPR), “Enhanced Cyber Risk Management Standards.”
The letter, which was informed by subject matter experts at
RMA member banks, warns the agencies against prescribing specific cyber risk
management actions and safeguards, and suggests instead a more principles-based
approach. The comment letter also notes that asset size alone should not be
what determines a financial institution’s strategy. Rather, it says, banks
should take measures based on their complexity and the particular risks they
face. Such an approach will allow institutions to evolve their strategies as
the threat landscape evolves, the letter says. One risk of across-the-board
cyber risk rules, RMA notes, is that banks with similar defenses would all be
vulnerable to the same threat, increasing systemic risk.
Among other RMA feedback to the ANPR, the letter also
suggests there be a mechanism to better allow law enforcement agencies to share
threat information with banks. Regarding the agencies’ efforts to have banks
quantify cyber risk, RMA suggests the use of “basic metrics,” such as
documenting the number of unpatched known vulnerabilities in a system. “Were
the agencies to prescribe modelling,” the letter says, “there would be a
significant resulting misallocation of resources whereby institutions would
focus on quantification and measurement instead of risk management.”
About RMA
Founded in 1914, The Risk Management Association is a not-for-profit,
member-driven professional association whose sole purpose is to advance the use
of sound risk management principles in the financial services industry. RMA
promotes an enterprise approach to risk management that focuses on credit risk,
market risk, and operational risk. Headquartered in Philadelphia, Pennsylvania,
RMA has 2,500 institutional members that include banks of all sizes as well as
nonbank financial institutions. They are represented in the Association by more
than 18,000 risk management professionals who are chapter members in financial
centers throughout North America, Europe, Asia/Pacific, and Australia.
Media Contacts
Stephen Krasowski, skrasowski@rmahq.org, 215-446-4095
Frank Devlin, fdevlin@rmahq.org, 215-446-4137