SIFMA Publishes Recommendations for Effective Cybersecurity Regulatory Guidance

SIFMA Publishes Recommendations for Effective Cybersecurity Regulatory Guidance


Release Date: October 20, 2014

Contact: Liz Pierce, 212.313.1173,       


SIFMA Publishes Recommendations for Effective Cybersecurity Regulatory Guidance


New York, NY, October 20, 2014 - SIFMA today published its "Principles for Effective Cybersecurity Regulatory Guidance," that provides regulators with SIFMA members' insight on productive ways to harmonize and create effective cybersecurity regulatory guidance. SIFMA's goal is to promote a collaborative approach to cybersecurity that can foster innovation and strengthen efforts to protect financial industry operations and most importantly our clients. This paper is one in a series of initiatives undertaken by SIFMA focused on enhancing the industry's cybersecurity preparedness and practices.


"Cybersecurity is a top priority for the financial services industry, which is dedicating significant resources to protect the integrity of the markets and the millions of Americans who use financial services every day. Effective and consistent regulatory guidance is a critical component of the broader cyber defense effort, as it promotes best practices and accountability across the financial sector," said Kenneth E. Bentsen, Jr., SIFMA president & CEO. "Cyber attacks are increasing in frequency and sophistication, and it is critical that the industry and government collaborate to mitigate these threats. We appreciate that the public sector has embraced this partnership and we will continue to offer our insights to help them in their work."


Specifically, SIFMA's paper outlines ten foundational principles that can serve as a framework for robust and efficient cybersecurity guidance. SIFMA's recommendations are meant to help regulators as they move forward with plans to review, update and harmonize their cybersecurity policies, regulations, and guidance, in order to strengthen the financial sector's defense and response to cyber attacks.


SIFMA members believe there is an opportunity to enhance regulatory guidance beyond existing requirements to improve the protection of the financial sector, and that a dynamic and collaborative partnership between the industry and government is the most effective path forward to accomplishing this goal. The benefits of this partnership approach led to the development of the NIST Cybersecurity Framework, which SIFMA is actively promoting within its membership and encourages regulators to use as a universal structure that can be leveraged as a starting point for creating a unified approach to cybersecurity. 


Importantly, SIFMA's paper notes that harmonization of regulatory guidance across agencies and across borders is essential to avoid confusion in the industry and the duplication of efforts. SIFMA recommends the development of an inter-agency harmonization working group that could coordinate the review of cybersecurity regulations, ensure consistency and receive private sector input.


SIFMA's ten principles are as follows:


Principle 1:     The U.S. Government Has a Significant Role and Responsibility in Protecting the Business Community


Principle 2:     Recognize the Value of Public-Private Collaboration in the Development of Agency Guidance


Principle 3:     Compliance with Cybersecurity Agency Guidance Must be Flexible, Scalable and Practical


Principle 4:     Financial Services Cybersecurity Guidance Should be Harmonized Across Agencies


Principle 5:     Agency Guidance Must Consider the Resources of the Firm


Principle 6:     Effective Cybersecurity Guidance is Risk-Based and Threat-Informed


Principle 7:     Financial Regulators Should Engage in Risk-Based, Value-Added Audits Instead of Checklist Reviews


Principle 8:     Crisis Response is an Essential Component to an Effective Cybersecurity Program


Principle 9:     Information Sharing is Foundational to Protection, Must Be Limited to Cybersecurity Purposes, and Must Respect Firms' Confidences


Principle 10:   The Management of Cybersecurity at Critical Third Parties is Essential for Firms


The full text of SIFMA's "Principles for Effective Cybersecurity Guidance," which is one in a series of initiatives at SIFMA focused on enhancing the industry's cybersecurity practices, can be found here: Over the past several years, SIFMA has brought together experts from across the public and private sectors to better understand the risks involved with a cyber attack and how the industry can be best prepared to thwart an attack.  More information on SIFMA's cybersecurity work can be found here:  


The Securities Industry and Financial Markets Association (SIFMA) brings together the shared interests of hundreds of securities firms, banks and asset managers. SIFMA's mission is to support a strong financial industry, investor opportunity, capital formation, job creation and economic growth, while building trust and confidence in the financial markets. SIFMA, with offices in New York and Washington, D.C., is the U.S. regional member of the Global Financial Markets Association (GFMA). For more information, visit