An updated cybersecurity framework should not create additional requirements, nor should it apply a one-size-fits-all approach for credit unions to demonstrate readiness, CUNA and the Independent Community Bankers of America wrote Monday. The letter was sent to the National Institute of Standards and Technology (NIST), in response to a proposed update of the framework to improve critical infrastructure cybersecurity.
NIST’s Cybersecurity Framework (CSF) is one of many resources used by credit unions to protect institutional and member data. For regulated entities, such as credit unions, the CSF may serve as the cybersecurity risk policy of the institution; or, it may serve as a compliment to another risk framework. For unregulated entities, it provides a baseline method for organizations to establish a cybersecurity risk policy.
“It is critical that any prudential financial regulator that supervises or examines financial institutions for compliance with cybersecurity risk standards not require the use of any one cybersecurity framework, assessment or tool over another, including the NIST CSF,” the joint letter reads. “Rather, we strongly support and encourage the continued voluntary nature of the NIST CSF, or other appropriate framework, tool or assessment, as an institution deems fit, dependent upon its risk profile in accordance with guidance issued by the Federal Financial Institutions Council.”
The letter also offers the following suggestions:
CUNA does not support new or additional cybersecurity regulatory requirements. If regulators determine new or additional requirements are necessary, those should be incorporated into existing frameworks or guidance; and
NIST should consider including recognition of entities that are already subject to strong supervision and examination by regulatory bodies, such as credit unions, which are more specific to the financial sector that the NIST CSF.