Regulators Mandating Cyber-Related Technologies? Pump the Breaks

Too many accidents will lead to regulatory reform.

Anthony Malakian, US Editor, Waters &

You might've noticed that your WatersTechnology newsfeed has been littered of late with stories relating to cyber security. The reason being ─ in addition to it being one of the great IT challenges of the day ─ is that the April issue of Waters is dedicated to cyber security, and our sibling publication OpRisk held a timely cyber-security conference last week.

Of course, there will be more to come on this in the weeks ahead, but the one thing that I wanted to write about today is the issue of how much (or little) presence the regulators should have when it comes to cyber security.

At that OpRisk mini-conference, dubbed CyberRisk North America, Dennis Dickstein, chief privacy and information security officer at UBS, had an interesting take on the issue. Dickstein started out by making it clear that he's not a technologist: "I've never been a part of technology and I never will be. I'm part of the business," he said.

With this as a caution, he also said that he believes that technology can improve the fight against cyber criminals; it's up to firms to implement these technologies on their own. Yet, at the same time, he made a case for regulators to step in and mandate that firms implement certain technologies.

"When I think of technology, I think of automobiles," he said, providing an analogy. "If a person drinks a lot and gets into a car and drives it into a tree, I don't think it's the fault of Volvo or Lexus or whatever the person is driving; it's the fault of the person for drunk driving. But at the same time, you could do things technologically to that car to make it safer, such as putting a breathalyzer in every car. How long did it take to get seatbelts in every car? It took laws, after a while."

If there are too many accidents, then the regulators are going to be forced to come in and levy some laws to try and make the system safer and restore consumer confidence.

He continued: "We have this technology and we're making improvements, but the legacy technology has to catch up and it takes a while. Why did it take so long for us to get airbags in our cars, when they had the technology decades ago?"

Regulatory Intervention? 

So I posed this question to Dickstein: Are you then advocating for the regulators to come in and mandate the kinds of systems and technologies that should be minimally implemented?

I don't think Dickstein ─ who was an excellent moderator; one of the best I've seen, actually ─ meant to go down that road, and he didn't. So he clarified.

Using another analogy, he pointed to the sealed caps on medicine bottles. Yes, the regulators eventually mandated these caps, but the pharmaceutical companies were ahead of the curve because it was good for business, so they started using them even before the regulators mandated it, Dickstein said. The caps became, essentially, a best practice and the regulators simply codified that practice.

"There's something to be said about the agility and ability of private enterprise to go in and do the right thing quicker than the government telling us to do it," he concluded.

Stanley Poszywak, operational risk team lead of supervision, regulation and credit at the Federal Reserve Bank of Richmond, didn't want any part of being overly prescriptive when it comes to the regulators mandating technology in the fight against cyber crime.

"You guys are the subject matter experts; if I come into a bank and I know more about your systems than you do, shame on you," he said, speaking to the companies in the audience whom the Fed oversees. "You should know your own architecture. ...We are not there to design or prescribe to you what application or solution you need to have. We will observe, we will recommend, and we will recommend that you fix something, but we're not going to tell you how to do that.

"We, as regulators, are not here to tell you what systems you need to have, because we simply don't have that type of expertise," he continued. "Some of us are better than others in terms of knowing what kind of things that you'd expect to see when you look at a framework or network infrastructure, but that's simply not our sanction."

I think that for Waters' readership, there's probably near-consensus that banks and other financial institutions don't want regulators knocking at their door with a list of mandates. I also don't think that the regulators ─ at this point, anyway ─ want to get too deeply involved because, as Poszywak noted, they're playing a game of catch-up, as well.

But Dickstein's first analogy about the car is valuable: If there are too many accidents, then the regulators are going to be forced to come in and legislate some rules to try and make the system safer and restore consumer confidence. Nobody wants that, so it's up to the financial services industry to work together to fight this problem now, before the authorities reluctantly do it later.

Five Random Thoughts/Links:

● Remember that tunnel that the authorities found in Toronto, which was quickly dubbed the "#terrortunnel" on Twitter? Turns out it was just some dude who lives in a tough neighborhood and wanted to create a getaway from himself. This is a pretty great read. I don't live in a tough neighborhood, but I can relate to the desire to get the hell out of the city to find some quiet.

● Comedian Trevor Noah will replace Jon Stewart as the host of "The Daily Show". Noah had a few segments as a "correspondent" on the faux news program. He's a surgeon with his jokes. He leads you in and then delivers the punchline with precision. Being that he's South African, born during Apartheid from a black mother and a white (Swiss) father, his perspective on American race relations is at times cutting and often brilliant. He's an interesting break from Stewart. I hope that fans give him the chance to build his own brand.

● After four days, my NCAA March Madness bracket was busted, with two of my Final Four teams (Iowa St and Virginia) ousted in the first two rounds of the tournament. But, to be fair, the only March Madness I really care about took place in St. Louis at the NCAA D1 Wrestling Championships.

I grew up in Easton, Pennsylvania (a high school wrestling hotbed) and my older brother was a wrestler, so I was wrestler, too. Basketball never appealed to me. So while everyone was tuned in to CBS to watch basketball, I was on ESPN watching wrasslin'. And in case you were wondering, Ohio State won the team title (an upset as they easily outpointed mighty Iowa) and the Buckeyes' Logan Stieber became the fourth wrestler to win four national championships.

For those interested, next year's national championships will be held at Madison Square Garden. I'll definitely be there.

● Duncan Niederauer sounds all-in on Bitcoin; the US Secret Service...ehhhh, not so much.

● Shameless plug here, but I'm very happy with the way that my April Waters feature on patching came out. I hope you'll read it and find value in it. Feel free to shoot me an email or give me a call (646-490-3973) if you have any thoughts on patching of your own.


Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Most read articles loading...

You need to sign in to use this feature. If you don’t have a WatersTechnology account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here