From American Banker:

“Some of NIST’s rules are becoming more flowy,” says Paul Rosenzweig, a senior fellow at the R Street Institute and a law professor at George Washington University. “Smaller banks and other financial institutions that don’t have the resources have been slower on the uptake.”

Rosenzweig said cyber rules can serve as a baseline standard. “Regulation is the tide that lifts all boats, especially the laggards relying on everyone else’s security.”

But he added that merely requiring banks to check boxes with more regulation has its limits. For one thing, he noted, the industry still lacks a definitive way to grade a company’s commitment to cybersecurity beyond its IT budget.

“You can point at how much you’re spending on security and count how many boxes you fill on a security checklist, but there’s no equivalent of a FICO score for cybersecurity,” he said.