Skip to main content
close search
site logo

NDAA provision would make cyber agency a bank regulator, trade groups say

The bill would create a designation for systemically important entities, and require them to report information to the Cybersecurity and Infrastructure Security Agency.

Published Aug. 3, 2022
Anna Hrushka's headshot
Senior Reporter
A view of the Capitol Dome from below with an American flag waving in the wind on the left side and blue skies in the background.
iStock via Getty Images

Bank trade groups are pushing back on a provision in the 2023 defense spending bill they say would subject financial institutions to duplicate reporting and compliance requirements, as well as increased risk.

At issue is language in the House-passed National Defense Authorization Act (NDAA) that would create a designation for systemically important entities (SIEs), and require them to report certain information to the Cybersecurity and Infrastructure Security Agency (CISA). 

That provision, the Bank Policy Institute (BPI) and the American Bankers Association (ABA) argue, would add an additional layer of reporting requirements for banks.

In a joint letter sent to the chairs and ranking members of the Senate Armed Services and Senate Homeland Security and Governmental Affairs Committees on Friday, the trade groups said they support efforts to improve the identification and risk assessment of critical infrastructure, but they believe the provision, as written, “would duplicate existing designations without addressing gaps in government efforts to help protect private critical infrastructure from national security threats.”

The SIE provision would essentially make CISA an additional regulator to which banks would need to report, said Heather Hogsett, BPI’s policy lead.

“If you think about all of the different regulations for cybersecurity, the reporting that goes along with that, the oversight and examination that firms comply with, we see this SIE provision in essence, duplicating that by adding CISA as yet another regulator on top of what we already do,” she said. 

Hogsett said the trade groups are concerned the additional reporting requirements could redirect the focus of a bank's front-line cyber defenders from protecting the firm to meeting the additional government reporting requirements. Some banks might also need to increase their cybersecurity staff as a result, Hogsett added.

“If you follow some of the challenges with the cyber workforce, we have a shortage of qualified professionals for a number of these important roles, so it's a challenge because it's going to divert firms’ eyes potentially from areas where they feel they should really be focused, particularly in today's threat environment,” she said.

While language in the bill calls for coordination between CISA and industry regulators to eliminate duplicate reporting and compliance requirements, the groups say banks would still be burdened with additional reporting.

“Given the nature of financial regulations and the information CISA would require, however, a financial firm would have to prepare completely different reports to CISA,” the groups wrote. “We would welcome a dialogue on how we can continue to inform CISA’s risk analysis efforts, but legislation should exempt regulated financial institutions from new reporting requirements.”

Increased risk?

The groups also believe the legislation could potentially increase risk to financial firms, given the type of sensitive information the bill would require banks to report to CISA, Hogsett said. 

“[The bill] refers to having the critical infrastructure company identify their critical assets, system, suppliers, technologies, software, services, processes or other dependencies,” Hogsett said. “These are the kinds of things that firms go to great extent to keep secure within the firm, because if they were inappropriately disclosed, it's in essence offering an attacker a roadmap to take down your bank or a critical system for you.”

In their letter, the trade groups said the legislation does not specify what CISA would do with such information, nor how it would be shared or protected against disclosure.

“Financial services is often acknowledged as being among the best protected sectors, given the robust regulatory requirements that we already have,” Hogsett said, adding the goal of the NDAA’s SIE designation may be to raise the bar for other sectors.

“That would undoubtedly be a benefit to all of us,” she said. “However, we shouldn't further complicate and create challenges for financial institutions in the process of raising the bar for others.”

In addition to the reporting and risk concerns, the groups expressed a desire for the banking industry to receive more intelligence support from the government.

“We've been asking for a number of years for greater intelligence support from the government for firms to help combat these threats that are oftentimes originating overseas, and we would like to see that incorporated into any sort of legislation addressing systemic cyber risks to our critical infrastructure,” Hogsett said.

Editors' picks

  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
  • Bank sign
    Image attribution tooltip
    Courtesy of U.S. Bank
    Image attribution tooltip

    U.S. Bank reaches its proving ground

    The super-regional is at an “inflection point” after recent acquisitions and tech updates, CEO Andy Cecere said at the bank’s investor day. One analyst, however, is calling for “a new set of eyes at the top.”

    By Caitlin Mullen • Sept. 13, 2024

Company Announcements

View all | Post a press release
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Agent IQ
October 31, 2024
Unitus Community Credit Union Deploys JUDI.AI to Scale Small Business Lending
From JUDI.AI
October 31, 2024
Agent IQ and Narmi Announce Strategic Partnership to Improve Digital Banking Experiences
From Narmi
October 31, 2024
Congressman urges CFPB to support SoLo Funds’ community-focused lending model
From Solo Funds
October 30, 2024
Editors' picks
  • JPMorgan Chase building signage in New York City
    Image attribution tooltip
    Michael M. Santiago / Staff via Getty Images
    Image attribution tooltip

    JPMorgan, Zelle may have upper hand if litigation ensues

    If the banks that own Zelle’s parent battle the Consumer Financial Protection Bureau in court, they may find some federal judges open to their arguments, said lawyers specializing in the area.

    By Patrick Cooley • Aug. 16, 2024
  • Bank sign
    Image attribution tooltip
    Courtesy of U.S. Bank
    Image attribution tooltip

    U.S. Bank reaches its proving ground

    The super-regional is at an “inflection point” after recent acquisitions and tech updates, CEO Andy Cecere said at the bank’s investor day. One analyst, however, is calling for “a new set of eyes at the top.”

    By Caitlin Mullen • Sept. 13, 2024
Latest in Regulations & Policy
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell