An amendment to the National Defense Authorization Act passed by the House in July would create a “systemically important entity” designation, applying new regulations and offering priority aid to certain critical infrastructure companies. But the American Bankers Association and Bank Policy Institute say the amendment as applied to financial institutions would duplicate existing regulations under the Dodd-Frank Act, while also requiring the turnover of a substantial amount of cybersecurity-related data that could prove dangerous in the wrong hands.
The amendment introduced by Congressman Jim Langevin (D-RI), chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, focuses on those private sector entities whose core functions are of national consequence to the United States, a definition which would encompass some of the largest companies in the nation’s banking industry.
Explaining the reasoning behind the amendment, Congressman Langevin said, “After all, these entities are particular focal points of leverage to our adversaries — if any of them falls victim to a cyberattack, the entire country is in store for a very bad day. Creating a partnership wherein systemically important entities receive greater support from the federal government to defend their networks, without overburdensome regulation, will enhance our nation’s collective security.”
But financial industry trade groups say the amendment — which would require covered entities to promptly establish contact with federal authorities and ascertain the need for incident response in the event of a cyberattack — is duplicative since financial institutions are already subject to extensive cybersecurity risk management and incident reporting frameworks imposed by other regulators. Moreover, the proposed amendment would require banks to turn over details about their software vendors and other risks to their supply chains that could prove dangerous if that data were to be stolen from the government in a cyberattack.
“While some critical infrastructure sectors are not captured by similar designation programs and may warrant additional oversight, financial institutions are already subject to extensive cybersecurity risk management and incident reporting frameworks that require reviews of security controls and data protection measures, the security of vendors and suppliers, governance processes, and incident notification and reporting,” the associations said. “Adding yet another layer of reporting to a different set of agencies with different standards would detract significantly from financial institutions’ essential work defending against cyber threats.”
Within the coming year, the Department of Homeland Security must establish criteria and procedures for identifying and designating entities as systemically important, as well as establishing within two years what reporting requirements will be imposed on these systemically important entities. There is also a provision in the amendment, which instructs the Department of Homeland Security to coordinate with other federal agencies already responsible for regulating systemically important entities, to determine whether any existing reporting rules should be a basis to exempt such companies from parts of the new requirements.
Troutman Pepper will continue to monitor important developments involving cybersecurity implications to financial institutions of the National Defense Authorization Act and will provide further updates as they become available.