RMA Suggests Principles-Based Approach to U.S. Cyber Risk Rules

Philadelphia, PA (January 17, 2017) —

The Risk Management Association, a recognized thought leader in the field of operational risk management, including cyber risk and third party management risk, filed a comment letter last week with U.S. financial regulators regarding their jointly issued advanced notice of proposed rulemaking (ANPR), “Enhanced Cyber Risk Management Standards.” 

The letter, which was informed by subject matter experts at RMA member banks, warns the agencies against prescribing specific cyber risk management actions and safeguards, and suggests instead a more principles-based approach. The comment letter also notes that asset size alone should not be what determines a financial institution’s strategy. Rather, it says, banks should take measures based on their complexity and the particular risks they face. Such an approach will allow institutions to evolve their strategies as the threat landscape evolves, the letter says. One risk of across-the-board cyber risk rules, RMA notes, is that banks with similar defenses would all be vulnerable to the same threat, increasing systemic risk.

Among other RMA feedback to the ANPR, the letter also suggests there be a mechanism to better allow law enforcement agencies to share threat information with banks. Regarding the agencies’ efforts to have banks quantify cyber risk, RMA suggests the use of “basic metrics,” such as documenting the number of unpatched known vulnerabilities in a system. “Were the agencies to prescribe modelling,” the letter says, “there would be a significant resulting misallocation of resources whereby institutions would focus on quantification and measurement instead of risk management.”

About RMA 
Founded in 1914, The Risk Management Association is a not-for-profit, member-driven professional association whose sole purpose is to advance the use of sound risk management principles in the financial services industry. RMA promotes an enterprise approach to risk management that focuses on credit risk, market risk, and operational risk. Headquartered in Philadelphia, Pennsylvania, RMA has 2,500 institutional members that include banks of all sizes as well as nonbank financial institutions. They are represented in the Association by more than 18,000 risk management professionals who are chapter members in financial centers throughout North America, Europe,  Asia/Pacific, and Australia.

Media Contacts 
Stephen Krasowski, skrasowski@rmahq.org, 215-446-4095 
Frank Devlin, fdevlin@rmahq.org, 215-446-4137