Source: Lawfare
The U.S. banking environment has been beset by increasingly disruptive cyberattacks targeting financial institutions and their supply chains. These attacks underscore the importance of incentivizing high-performing cybersecurity programs across the banking sector, including many small to mid-sized institutions with limited resources. Most discussion of regulatory incentivization centers around the use of regulatory “sticks,” but using “carrots” could actually drive performance that is both faster and more effective against changing threats.
A rough model for such an approach (though in a historically physical security context) already exists in the trade sector: The Customs Trade Partnership Against Terrorism (CTPAT) was established after the 9/11 terrorist attacks to incentivize cargo supply chain stakeholders to invest in higher levels of security. Participants voluntarily agree to implement specified security measures and have those measures independently validated. In return, CTPAT members are considered to be low risk and are therefore less likely to be examined at a U.S. port of entry by U.S. Customs and Border Protection. The concept has also been applied internationally through bilateral mutual recognition programs as well as through multilateral dialogue at the World Customs Organization.
