Advisors to the White House have recommended harmonizing the many cybersecurity breach notifications companies face. Bankers say yes, please.
For bankers, the action could mean simplified requirements in the wake of a cybersecurity breach, allowing the institution to remediate quickly while still providing federal officials insights that could protect other industry actors. But some see potentially deleterious consequences of adopting the recommendations.
As first reported by
President Biden appointed the members of NSTAC to advise him "on the reliability, security, and preparedness of vital communications and information infrastructure," according to
While The NSTAC's recommendations this month focus on harmonization, they do not solely concern the financial sector, and they include other advice to the president including that he advance the adoption of post-quantum cryptography.
The harmonization office also likely would not have the authority to harmonize various state-level requirements that banks face in the wake of a cybersecurity incident. Those combine with a number of federal requirements to create
Three prudential regulators (the Federal Deposit Insurance Corp., the Office of the Comptroller of the Currency, and the Federal Reserve Board)
These varying rules make breach reporting the main point of disharmony in the cyber regulations banks face, according to Stephen Lilley, a member of the cybersecurity and data privacy practice at law firm Mayer Brown. But, he said, creating a harmonization office within CISA that assesses such rules could constitute a change of its mission that polarizes the agency and make it less effective.
Although the NSTAC has a "great goal" in mind by recommending CISA establish an office of regulatory harmonization, according to Lilley, "it's a goal that a lot of people have shared for a long time," and there are many barriers to achieving it.
Establishing such an office could also change the level of bipartisan support CISA has enjoyed, according to Lilley. The agency, established in 2018, enjoyed unanimous approval in both the House and Senate. A
Today, CISA has a primarily operational role in improving cybersecurity across all levels of government and providing resources that private enterprises can use to improve their own cybersecurity. According to Lilley, having the agency also responsible for assessing regulations could change the support it enjoys.
"One of the great strengths of CISA has been its focus on security, and it's been able to advance goals that everybody shares," Lilley said. "Once you get into regulation, politics tends to get a bit more pronounced."
The Bank Policy Institute, a nonpartisan public policy research and advocacy group whose members collectively employ nearly 2 million Americans and make nearly half of the nation's bank-originated small business loans, is among the entities that has backed efforts to harmonize cybersecurity regulations in the past.
When Congress considered the 72-hour cybersecurity breach notification law, BPI expressed its support for the bill, promoting it as a vehicle for harmonizing other breach notification regulations. Creating an office of regulatory harmonization within CISA could have the same effect, which has been a focus for BPI.
"Policymakers' focus right now is on incident reporting," said Heather Hogsett, a senior leader of the Bank Policy Institute's technology policy division. "It's not that there aren't other areas of cyber operations," she said, but there are multiple ongoing regulatory efforts around cybersecurity today, "and they're all dealing with cyber incidents and how we share information between the affected firm and government."
The 72-hour rule is one such effort; another is from the Securities and Exchange Commission, which has proposed a rule that publicly traded companies have four days to publicly disclose any "material cybersecurity incident" on a Form 8-K, which is used to notify investors about certain events that can affect their investment.
For Erin Illman, the chair of the cybersecurity practice at law firm Bradley Arant Boult Cummings, the primary potential of harmonizing cybersecurity regulations is that it could put banks and nonbank financial companies on equal regulatory footing. This would concern what is considered a "reasonable standard" of security for companies to meet when protecting user data, not just the notification requirements they face when that data is compromised.
"I think a lot of it goes back to this reasonable security standard," Illman said. "The financial services sector is a prime target for threat actors, so the idea would be to make sure that all financial institutions are putting in the same defensive measures to prevent those types of attacks."
That might be more theoretical than inevitable, according to attorney Lilley. Breach notification requirements remain the key point of disharmony within the regulatory environment that banks must navigate, and he expects that alone will take a great deal of intention to fix, as the combination of the new SEC and CISA rules has only added complexity to the mix recently.
"My guess is that it's something that we'll see incremental improvement upon over time," Lilley said. "It won't be achieved overnight."