Here's how the White House's cyber initiatives could affect banks

White House at Night
The White House said Thursday when it released its cybersecurity implementation plan that it wants to ensure "the biggest, most capable, and best-positioned entities – in the public and private sectors" take on the most liability for software vulnerabilities.
Adobe Stock

A new cybersecurity plan the White House released Thursday could have a mix of implications for banks: Liability for breaches could shift away from responsible software developers, and banks would be held more accountable for their vendor choices and could be required to provide ingredient lists for the software programs they develop in-house.

On Thursday, the White House released an implementation plan for the national cybersecurity strategy that it announced in March, revealing some details on President Joe Biden's plans to shift liability for data breaches and insecure software to larger and more capable companies, such as banks.

The only specific mention of financial services in the document pertained to global anti-money laundering and countering the financing of terrorism, but experts said that as critical infrastructure entities, banks will also feel the impact of plans.

Liability for software vulnerabilities

One of the main changes the White House hopes to make with its cybersecurity strategy has to do with liability for data breaches and insecure software. The administration hopes to ensure "that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk," according to a press release accompanying the implementation plan.

But for the most part, the implementation plan focuses on what companies can do to limit their liability for vulnerabilities in software. The plan specifically references part of the National Cybersecurity Strategy from March that discusses a "safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."

President Biden Travels To Virginia Beach

The strategy document identifies potential avenues for cutting cybercriminals off from financing, as well as other actions banks can take.

March 3

The implementation plan includes three initiatives under the strategic objective of shifting liability for insecure software. The first is to have the Office of the National Cyber Director host a legal symposium to "explore different approaches to a software liability framework" to discuss how the software vulnerability liability framework would compare to other liability regimes.

The second initiative under this liability umbrella is to have federal agencies work with the Cybersecurity and Infrastructure Security Administration to "identify and reduce gaps" in the "scale and implementation" of software bills of materials (SBOMs), with the intent of mitigating risks presented by unsupported software.

The third initiative is to "build domestic and international support for an expectation of coordinated vulnerability disclosure" across sectors, which in banking would mean greater coordination between software providers, banks and white-hat hackers in identifying and closing cybersecurity holes in software.

Harmonizing regulations

As for other specifics in the implementation plan, the first element is to "establish an initiative on cyber regulatory harmonization," according to the document. Cyber regulatory harmonization has been a top concern for banks, making the initiative a welcome sight for many bankers.

Close-up of US Department of Homeland Security Sign and emblem

Rules around what, when, and to whom a bank must report in the wake of a data breach remain a key point of regulatory friction. Some hope a new federal office could help.

February 28

The Bank Policy Institute, a public policy research and advocacy group, expressed faith last year that a bill that later became law would harmonize requirements on banks to report data breaches — currently a major source of regulatory disharmony. The Cybersecurity and Infrastructure Security Agency, which is in charge of implementing the law, has not yet drafted regulations and has until March 2024 to do so.

The White House's implementation plan calls on the Office of the National Cyber Director to put out a request for information that will help the office understand "existing challenges with regulatory overlap" so that it can "explore a framework for reciprocity for baseline requirements," according to the plan.

The second initiative in the plan calls for setting "cybersecurity requirements across critical infrastructure sectors." The National Security Council, which is already leading a policymaking process to this end, will work with Sector Risk Management Agencies (SRMAs) to develop proposals to establish cyber requirements. For financial services, the Department of Treasury serves as the SRMA.

Software ingredient lists

The implementation plan also provides details on the president's efforts to establish requirements on software bills of materials (SBOMs), which is a nested inventory of the ingredients that make up software components.

A 2021 executive order put the National Telecommunications and Information Administration in charge of developing SBOM requirements, which the administration in 2021 published in a series of articles. The administration pointed to three SBOM standards — SPDX, CycloneDX and SWID — that "cover the needs for the baseline SBOM."

It remains unclear to what extent banks will need to provide ingredient lists for software they develop. So far, only software vendors that sell to federal agencies face requirements that concern bills of materials, but Thursday's implementation plan suggests SBOMs may become ubiquitous within critical infrastructure sectors such as banking.

"In order to collect data on the usage of unsupported software in critical infrastructure, the Cybersecurity and Infrastructure Security Agency will work with key stakeholders, including SRMAs, to identify and reduce gaps in SBOM scale and implementation," the implementation plan reads.

For banks that develop their own software — especially if they sell the software to others — these requirements will be of great importance, according to Tom Kellerman, senior vice president of cyber strategy at Contrast Security.

"The requirement for SBOMs will impact all banks, as most banks are developing their own applications," said Kellerman. "Banks will be held accountable for secure development practices."

For reprint and licensing requests for this article, click here.
Cyber security Law and regulation Technology
MORE FROM AMERICAN BANKER