Newsroom

NAFCU yesterday encouraged the National Institute of Standards and Technology to keep its cybersecurity framework voluntary and that the framework remains "scalable and flexible in its application to financial institutions of all sizes and structures."

NIST released its cybersecurity framework in 2014. NAFCU Regulatory Affairs Counsel Kavitha Subramanian, writing yesterday in response to NIST's request for information on the framework, urged NIST "to continue to provide leadership and insight to ensure that the cybersecurity frameworks remain feasible to implement and adaptive to evolving risks."

She asked that NIST, when updating its framework, follow a similar approach as that taken by the Federal Financial Institutions Examination Council, which released a voluntary cybersecurity assessment tool in 2015.

"NAFCU recommends that NIST carefully study the framework adopted in the Assessment and ensure that the revised NIST framework follow a similar approach, especially since the National Credit Union Administration (NCUA) and other FFIEC regulators will be incorporating this Assessment into the supervisory and examination process for financial institutions," she wrote.

She also noted the need for legislative measures to ensure that cyber and data security can be achieved for consumers and the financial services industry. Subramanian noted NAFCU's support for the "Data Security Act of 2015" (H.R. 2205/S. 961), and urged NIST to "use its expertise to educate lawmakers and regulators about the emerging cybersecurity threats and the need for real-time multi-sector collaboration to prevent consumer data breaches."