Cybersecurity is a little like aeronautical engineering.

Once upon a time, airlines and engineers focused as much energy as they could on preventing plane crashes. If the plane went down, everybody would die. Today, of course, we still want to prevent plane crashes, but engineers and airlines also devote a good deal of resources to making the crash survivable.

That’s the metaphor Sean Mahoney, a partner at K&L Gates, has used to describe the shift in thinking about cybersecurity, particularly in the financial services landscape, and some of the recent words out of industry trade groups and regulators appear to back him up.

A recent white paper from the industry trade group Securities Industry and Financial Markets Association (SIFMA), for example, also points to a shift in the way the financial services industry is thinking about cybersecurity. In the paper, SIFMA lays out its 10 principles for effective regulatory guidance in the realm of cybersecurity, from “The U.S. government has a significant role and responsibility in protecting the business community” to “financial regulators should engage in risk-based, value-added audits instead of checklist reviews.”

In putting together those standards, SIFMA hopes to appeal to regulators who have recently taken a greater interest in cybersecurity, said Karl Schimmeck, SIFMA’s managing director of financial services operations.

“We’ve seen it with the SEC, FINRA, the OCC … They’re all actively out there looking at this topic and where they want to update their regulations,” he said. “We just wanted to put out some guideposts … we think that regulatory guidance has an effective role to play in this area.”

Seeking Guidance

That’s right: In an apparent about-face from the usual protests over regulatory burdens, an industry group is actually asking for a little bit of regulatory guidance. But it all makes sense in context, Mahoney said.

“What’s been happening, in particular in the securities industry with broker dealers, is that until recently, if there was a security breach of some sort, that would be followed by an enforcement action,” he said. “It’s not a very efficient way of bringing companies into compliance.”

In other words, it’s frustrating to firms to be slapped on the wrist for running afoul of the rules when those rules weren’t laid out clearly from the beginning.

“There’s a tension … The industry wants to know: What are the rules, so we can follow them? And where the frustration comes in is where there isn’t clear guidance, and yet you see the enforcement actions and consent agreements being entered into after the fact,” said Brenda Sharton, senior partner at Goodwin Procter.

But Schimmeck is clear that there’s a right way to regulate this space and a wrong way. SIFMA advocates a risk-based and threat-based approach to cybersecurity, he said. That means taking into account the type of potential threats to your firm, your company’s resources and recent history.

“This is an active risk management area. This is not something where you adhere to a checklist and say, ‘I’m in compliance.’ Being in compliance in no way protects you,” Schimmeck said.

Toward that end, Schimmeck and others at SIFMA hope that regulators will not take a “checklist” or prescriptive style approach to regulating cybersecurity.

“The idea is, one size does not fit all,” he said.

A Paradigm Shift

But while SIFMA’s recommendations apply to the financial services industry as a whole, the Federal Financial Institutions Examination Council (FFIEC) conducted its own cybersecurity assessment at more than 500 community financial institutions this past summer.

Lynne B. Barr, a partner at Goodwin Procter and chair of the firm’s banking and consumer financial services practice, said that risk is inherent to all financial systems and that community banks are no less or better prepared than any larger financial institution.

While affirming an expectation that all financial institutions stay up to date on cyber-threats, the FFIEC also advised financial institutions to consider, for instance, the types of connections they have, their risk management and oversight, and their processes for gathering and analyzing threat information. The agency also suggested banks participate in the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Likewise, SIFMA acknowledged the National Institute of Standards and Technology (NIST) framework as a critical resource for financial institutions.

And to come back to Mahoney’s original point, the thinking about cybersecurity has shifted now toward having a plan in place and making sure a financial institution’s response to a data breach isn’t worse than the breach itself.

“Up until maybe a couple years ago, the focus had been on prevention, and it was like having a data security breach was the unforgivable act … I think there seems to be a realization now, that even if you do everything you’re supposed to do, there’s still a pretty good chance you’ll have some sort of data security breach,” he said. “All the focus was on preventing the plane crash and not enough on making the crash survivable. Now I think the focus seems to be pivoting toward making the crash survivable.”

Email: lalix@thewarrengroup.com