Regulators Mandating Cyber-Related Technologies? Pump the Breaks
Too many accidents will lead to regulatory reform.
You might've noticed that your WatersTechnology newsfeed has been littered of late with stories relating to cyber security. The reason being ─ in addition to it being one of the great IT challenges of the day ─ is that the April issue of Waters is dedicated to cyber security, and our sibling publication OpRisk held a timely cyber-security conference last week.
Of course, there will be more to come on this in the weeks ahead, but the one thing that I wanted to write about today is the issue of how much (or little) presence the regulators should have when it comes to cyber security.
At that OpRisk mini-conference, dubbed CyberRisk North America, Dennis Dickstein, chief privacy and information security officer at UBS, had an interesting take on the issue. Dickstein started out by making it clear that he's not a technologist: "I've never been a part of technology and I never will be. I'm part of the business," he said.
With this as a caution, he also said that he believes that technology can improve the fight against cyber criminals; it's up to firms to implement these technologies on their own. Yet, at the same time, he made a case for regulators to step in and mandate that firms implement certain technologies.
"When I think of technology, I think of automobiles," he said, providing an analogy. "If a person drinks a lot and gets into a car and drives it into a tree, I don't think it's the fault of Volvo or Lexus or whatever the person is driving; it's the fault of the person for drunk driving. But at the same time, you could do things technologically to that car to make it safer, such as putting a breathalyzer in every car. How long did it take to get seatbelts in every car? It took laws, after a while."
If there are too many accidents, then the regulators are going to be forced to come in and levy some laws to try and make the system safer and restore consumer confidence.
He continued: "We have this technology and we're making improvements, but the legacy technology has to catch up and it takes a while. Why did it take so long for us to get airbags in our cars, when they had the technology decades ago?"
Regulatory Intervention?
So I posed this question to Dickstein: Are you then advocating for the regulators to come in and mandate the kinds of systems and technologies that should be minimally implemented?
I don't think Dickstein ─ who was an excellent moderator; one of the best I've seen, actually ─ meant to go down that road, and he didn't. So he clarified.
Using another analogy, he pointed to the sealed caps on medicine bottles. Yes, the regulators eventually mandated these caps, but the pharmaceutical companies were ahead of the curve because it was good for business, so they started using them even before the regulators mandated it, Dickstein said. The caps became, essentially, a best practice and the regulators simply codified that practice.
"There's something to be said about the agility and ability of private enterprise to go in and do the right thing quicker than the government telling us to do it," he concluded.
Stanley Poszywak, operational risk team lead of supervision, regulation and credit at the Federal Reserve Bank of Richmond, didn't want any part of being overly prescriptive when it comes to the regulators mandating technology in the fight against cyber crime.
"You guys are the subject matter experts; if I come into a bank and I know more about your systems than you do, shame on you," he said, speaking to the companies in the audience whom the Fed oversees. "You should know your own architecture. ...We are not there to design or prescribe to you what application or solution you need to have. We will observe, we will recommend, and we will recommend that you fix something, but we're not going to tell you how to do that.
"We, as regulators, are not here to tell you what systems you need to have, because we simply don't have that type of expertise," he continued. "Some of us are better than others in terms of knowing what kind of things that you'd expect to see when you look at a framework or network infrastructure, but that's simply not our sanction."
I think that for Waters' readership, there's probably near-consensus that banks and other financial institutions don't want regulators knocking at their door with a list of mandates. I also don't think that the regulators ─ at this point, anyway ─ want to get too deeply involved because, as Poszywak noted, they're playing a game of catch-up, as well.
But Dickstein's first analogy about the car is valuable: If there are too many accidents, then the regulators are going to be forced to come in and legislate some rules to try and make the system safer and restore consumer confidence. Nobody wants that, so it's up to the financial services industry to work together to fight this problem now, before the authorities reluctantly do it later.
Five Random Thoughts/Links:
● Remember that tunnel that the authorities found in Toronto, which was quickly dubbed the "#terrortunnel" on Twitter? Turns out it was just some dude who lives in a tough neighborhood and wanted to create a getaway from himself. This is a pretty great read. I don't live in a tough neighborhood, but I can relate to the desire to get the hell out of the city to find some quiet.
● Comedian Trevor Noah will replace Jon Stewart as the host of "The Daily Show". Noah had a few segments as a "correspondent" on the faux news program. He's a surgeon with his jokes. He leads you in and then delivers the punchline with precision. Being that he's South African, born during Apartheid from a black mother and a white (Swiss) father, his perspective on American race relations is at times cutting and often brilliant. He's an interesting break from Stewart. I hope that fans give him the chance to build his own brand.
● After four days, my NCAA March Madness bracket was busted, with two of my Final Four teams (Iowa St and Virginia) ousted in the first two rounds of the tournament. But, to be fair, the only March Madness I really care about took place in St. Louis at the NCAA D1 Wrestling Championships.
I grew up in Easton, Pennsylvania (a high school wrestling hotbed) and my older brother was a wrestler, so I was wrestler, too. Basketball never appealed to me. So while everyone was tuned in to CBS to watch basketball, I was on ESPN watching wrasslin'. And in case you were wondering, Ohio State won the team title (an upset as they easily outpointed mighty Iowa) and the Buckeyes' Logan Stieber became the fourth wrestler to win four national championships.
For those interested, next year's national championships will be held at Madison Square Garden. I'll definitely be there.
● Duncan Niederauer sounds all-in on Bitcoin; the US Secret Service...ehhhh, not so much.
● Shameless plug here, but I'm very happy with the way that my April Waters feature on patching came out. I hope you'll read it and find value in it. Feel free to shoot me an email or give me a call (646-490-3973) if you have any thoughts on patching of your own.
Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.
To access these options, along with all other subscription benefits, please contact info@waterstechnology.com or view our subscription options here: http://subscriptions.waterstechnology.com/subscribe
You are currently unable to print this content. Please contact info@waterstechnology.com to find out more.
You are currently unable to copy this content. Please contact info@waterstechnology.com to find out more.
Copyright Infopro Digital Limited. All rights reserved.
As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (point 2.4), printing is limited to a single copy.
If you would like to purchase additional rights please email info@waterstechnology.com
Copyright Infopro Digital Limited. All rights reserved.
You may share this content using our article tools. As outlined in our terms and conditions, https://www.infopro-digital.com/terms-and-conditions/subscriptions/ (clause 2.4), an Authorised User may only make one copy of the materials for their own personal use. You must also comply with the restrictions in clause 2.5.
If you would like to purchase additional rights please email info@waterstechnology.com
More on Regulation
In 2025, keep reference data weird
The SEC, ESMA, CFTC and other acronyms provided the drama in reference data this year, including in crypto.
Waters Wavelength Ep. 299: ACA Group’s Carlo di Florio
Carlo di Florio joins the podcast to discuss regulations.
IEX, MEMX spar over new exchange’s now-approved infrastructure model
As more exchanges look to operate around-the-clock venues, the disagreement has put the practices of market tech infrastructure providers under a microscope.
FCA to publish bond tape tender details by end of January
Market participants must wait a month longer than expected for the regulator’s draft tender document, which will see several bidders vie for the chance to build the UK’s long-awaited consolidated tape for bonds.
Too ’Berg to fail? What October’s Instant Bloomberg outage means for the industry
The ubiquitous communications platform is vital for traders around the globe, especially in fixed income and exotic derivatives. When it fails, the disruption can be great.
New data granularity rules create opportunities for regtech providers
As evidence, Regnology increased its presence in North America with the addition of Vermeg's Agile business—its 8th acquisition in three years—following a period of constriction and consolidation in the market.
Bond tape hopefuls size up commercial risks as FCA finalizes tender
Consolidated tape bidders say the UK regulator is set to imminently publish crucial final details around technical specifications and data licensing arrangements for the finished infrastructure.
The Waters Cooler: A little crime never hurt nobody
Do you guys remember that 2006 Pitchfork review of Shine On by Jet?