A house-approved National Defense Authorization Act (NDAA) provision that authorizes spending by the Defense Department is speculated to have caused a security threat to financial institutions, urged banking groups. The goal of the provision was to identify systemically important entities, including critical infrastructure. However, it may have caused more damage than good, argued the banking associations in a letter to key senators. They feared that the details sent to the Cybersecurity and Infrastructure Security Agency (CISA) might have exposed the firms and that cybercriminals or hackers can misuse important information, including software services and processes.
There is an increased number of attacks on websites in the hands of hackers, and hacking into such critical data may lead them straight to their systems. The letter read, “Adding yet another layer of reporting to a different set of agencies with different standards would detract significantly from financial institutions’ essential work defending against cyber threats”.
In the letter, the bankers’ association encouraged efforts to mature CISA’s mechanism in risk assessment models.
The letter dated July 29, 2022, by the American Bankers Association and the Bank Policy Institute, detailed the issues in the NDAA provision regarding duplication with existing systemic designations and requirements, requirements to share sensitive information, and insufficient support for operational collaboration between firms and intelligence agencies.
The NDAA process to work on the bill is expected to begin soon. Hence, the banking groups are pressing for a refined provision with changes that could not be addressed previously. The bill will reach the Senate in September, before which the group is trying their best to send across their concerns about cybersecurity and the privacy of data.
A new provision focused on an interagency process at the Department of Homeland Security was proposed to address several underlying issues including security. It was submitted by Rep. Jim Langevin, D-R-I., to curb the number of entities less than 200. These entities were designated as systemically important and required to report to CISA.