Dear Sir,
"IT risks need to be accorded the same status as credit, financial and conduct risk. They are every bit as serious a threat to customers and to overall financial stability"
while I applaud the sentiment in those sentences, I think it would be wholy incorrect to create one group that will provide guidelines for IT Security. Who should be in that group? GCHQ? NSA? Google? HPE? IBM? End-users? FSF? Why not also Microsoft?
An ITSecurity/Resiliency Regulator... What a waste of money. What have the romans ever done for us, eh?
Creating laws that make it unlawful for a technology-driven company (any really, not only banks)
* to have outages that take longer than 24 to fix (public SLA)
* to have systems that can be hacked into
* to not report such (also) illegal hackingly acquired access
Make the amount of fines payable to the court depending on how life-necessary the technology service is, and/or how many records were stolen and/or how many (wall-clock) hours of illegal access were achieved and/or how many hours of DDoS caused systems to be unreachable for their intended purpose. I.e. facebook can pay the amount of (£|$|€)0.001 if unavailable for 1 year, whereas for example a national news service (paid by TV licenses) might attract fines of half a million in case their online services are unreachable for half a day, possibly payable by budget cuts from then on in (ie lower TV license cost).
To me, that should be part of the Computer Misuse Act. Yes, I understand that IoT and Cloud Computing require responsive and dynamic compute resources... That in itself does not mean one can foresake a firewall, a bastion host, or a FortiNet device (oh wait...), or any IT Security measures that common sense dictates should be implemented.
Best regards,
Guus Leeuw