A new cybersecurity plan the White House released Thursday could have a mix of implications for banks: Liability for breaches could shift away from responsible software developers, and banks would be held more accountable for their vendor choices and could be required to provide ingredient lists for the software programs they develop in-house.
On Thursday, the White House released an
The only specific mention of financial services in the document pertained to global anti-money laundering and countering the financing of terrorism, but experts said that as critical infrastructure entities, banks will also feel the impact of plans.
Liability for software vulnerabilities
One of the main changes the White House hopes to make with its cybersecurity strategy has to do with liability for data breaches and insecure software. The administration hopes to ensure "that the biggest, most capable, and best-positioned entities – in the public and private sectors – assume a greater share of the burden for mitigating cyber risk," according to a
But for the most part, the implementation plan focuses on what companies can do to limit their liability for vulnerabilities in software. The plan specifically references part of the National Cybersecurity Strategy from March that discusses a "safe harbor framework to shield from liability companies that securely develop and maintain their software products and services."
The strategy document identifies potential avenues for cutting cybercriminals off from financing, as well as other actions banks can take.
The implementation plan includes three initiatives under the strategic objective of shifting liability for insecure software. The first is to have the Office of the National Cyber Director host a legal symposium to "explore different approaches to a software liability framework" to discuss how the software vulnerability liability framework would compare to other liability regimes.
The second initiative under this liability umbrella is to have federal agencies work with the Cybersecurity and Infrastructure Security Administration to "identify and reduce gaps" in the "scale and implementation" of software bills of materials (SBOMs), with the intent of mitigating risks presented by unsupported software.
The third initiative is to "build domestic and international support for an expectation of coordinated vulnerability disclosure" across sectors, which in banking would mean greater coordination between software providers, banks and white-hat hackers in identifying and closing cybersecurity holes in software.
Harmonizing regulations
As for other specifics in the implementation plan, the first element is to "establish an initiative on cyber regulatory harmonization," according to the document. Cyber regulatory harmonization has been
Rules around what, when, and to whom a bank must report in the wake of a data breach remain a key point of regulatory friction. Some hope a new federal office could help.
The Bank Policy Institute, a public policy research and advocacy group,
The White House's implementation plan calls on the Office of the National Cyber Director to put out a request for information that will help the office understand "existing challenges with regulatory overlap" so that it can "explore a framework for reciprocity for baseline requirements," according to the plan.
The second initiative in the plan calls for setting "cybersecurity requirements across critical infrastructure sectors." The National Security Council, which is already leading a policymaking process to this end, will work with Sector Risk Management Agencies (SRMAs) to develop proposals to establish cyber requirements. For financial services, the Department of Treasury
Software ingredient lists
The implementation plan also provides details on the president's efforts to establish requirements on software bills of materials (SBOMs), which is a nested inventory of the ingredients that make up software components.
It remains unclear to what extent banks will need to provide ingredient lists for software they develop. So far, only software vendors that sell to federal agencies face requirements that concern bills of materials, but Thursday's implementation plan suggests SBOMs may become ubiquitous within critical infrastructure sectors such as banking.
"In order to collect data on the usage of unsupported software in critical infrastructure, the Cybersecurity and Infrastructure Security Agency will work with key stakeholders, including SRMAs, to identify and reduce gaps in SBOM scale and implementation," the implementation plan reads.
For banks that develop their own software — especially if they sell the software to others — these requirements will be of great importance, according to Tom Kellerman, senior vice president of cyber strategy at Contrast Security.
"The requirement for SBOMs will impact all banks, as most banks are developing their own applications," said Kellerman. "Banks will be held accountable for secure development practices."