ABA Banking Journal
No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
SUBSCRIBE
ABA Banking Journal
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive
No Result
View All Result
No Result
View All Result
Home Compliance and Risk

Understanding the Biden Administration’s Cybersecurity Executive Order

June 10, 2021
Reading Time: 5 mins read
Understanding the Biden Administration’s Cybersecurity Executive Order

By John Hintze

The Biden administration’s timely and unusually broad executive order issued May 12 arrived in the wake of attacks against major corporations and most directly affects the federal government and the private companies with whom it contracts. That includes a relatively small number of banks, but the order’s requirements are likely to ripple and impact banks more broadly, and some may face inquiries from examiners about whether their systems are up to snuff.

In a fact sheet issued with the order, the administration notes the highly publicized attacks against SolarWinds, Microsoft Exchange and the Colonial Pipeline as “sobering” reminders about the malicious cyber activity from nation-states and cyber criminals. In fact, Microsoft disclosed May 27 that the Russia-based cyber attacker that compromised SolarWinds and numerous government computer networks is pursuing a new wave of attacks against organizations in the U.S. and abroad.

“These incidents share commonalities, including insufficient cybersecurity defenses that leave public and private sector entities more vulnerable to incidents,” the statement notes, adding the order is the “first of many ambitious steps” the administration is taking to modernize national cyber defenses.

And the administration is moving expansively. Executive orders are typically aimed at executive branch agencies and departments, but the recent one covers all federal government agencies, including independent ones overseeing banks such the Federal Reserve, FDIC and OCC.

ABA VP and Senior Counsel Denyette DePierro says the order will directly affect private companies contracting with federal government. “The primary focus of the EO is not financial services but the universe of third parties that provide products, services and software to the federal government, that do not have bank-like substantive cybersecurity processes,” DePierro says. That includes the relatively small group of banks facilitating federal services, such as transactional accounts or debt cards to distribute government benefits, she adds.

DePierro says that banks are already adequately regulated and supervised, and must abide by substantial cybersecurity, privacy and information security requirements not present in other industries. In addition, she explains, many banks have already adopted the National Institute of Standards and Technology’s Cybersecurity Framework as their primary cyber risk management tool, and the NIST framework will serve as their executive order cyber standard.

However, many banks are still seeking to meet those standards, and the comprehensive order is likely to cover areas where practice is evolving. Given the federal government’s massive footprint, those institutions will likely feel the order’s ripple effect, assuming its provisions are enforced. Troy La Huis—principal and digital security services leader at Crowe, which ABA endorses for risk management, compliance and governance consulting—notes that less-enforced orders don’t typically demand the same attention, and thus far the cybersecurity order’s enforcement mechanisms remain unclear.

Another key issue is whether federal banking regulators implementing the order themselves will in turn apply its requirements to the banks they regulate. That remains to be seen, La Huis says. “But if its provisions are important enough for the government agencies, then it’s likely they will in turn seek to enforce them within the financial community.”

Given the nuts and bolts of the regulatory process, examiners may start asking about how banks cyber security measure up against the order’s standards as soon as next year, La Huis says. One potentially challenging area for banks, he added, is a requirement in Section 3—on “Modernizing Federal Government Cybersecurity”—to develop a plan to implement “zero trust architecture” that incorporates the migration steps outlined by NIST.

Zero-trust architecture seeks to minimize the threat of cyber attackers infiltrating an organization and usurping user credentials to take control of a network by limiting what users can access. However, implementing it can be costly and typically requires locking down significant parts of the network. Many banks are just starting to consider it.

“Based on our discussions, banks’ chief information security officers are putting this one on the road map,” says Sekhara Gudipati, senior manager on La Huis’ team at Crowe. And should examiners indeed start asking banks about their zero-trust policies and procedures and the relevant technologies, he adds, “that’s when the seriousness and pressure comes” to implement it.

Other portions of the order may benefit banks. Section 4—on “Enhancing the Software Supply Chain Security”—describes the process by which the federal government will develop security guidance for critical software within 270 days of the order’s issuance. By March 2022, the Office of Management and Budget must take steps to require the federal agencies comply with the guidance.

Jordan Rae Kelly, head of cybersecurity for the Americas at FTI Consulting, highlights Section 4 as particularly impactful for the private sector and especially banks, since it is essentially creating an “Energy Star”-type label that software developers must adhere to. First used by the public sector, private-sector companies will also be able to use it to gauge software security.

The financial sector tends to be the “tip of the spear” in terms of investing in cybersecurity, Kelly says. “And what’s going to happen here is the EO will make it even easier to make those choices.”

DePierro says there is “industry optimism” that as large government contractors, including cloud, telecom and other technology companies are required to meet the executive order’s cyber standards, it may ease banks’ own third-party due diligence efforts.

“As federal-government third parties, companies are more likely to become NIST-compliant without banks having to beg, cajole and harangue them into adopting NIST standards and bank-like security,” DePierro says.

Another area that could impact banks is Section 2 on “Removing Barriers to Sharing Threat Information.” This section seeks to remove contractual barriers that may prevent sophisticated technology service providers the government uses from sharing threats they uncover with the appropriate federal department or agency.

La Huis, who has worked with financial institutions since 2004, says banks’ anti-money laundering and cyber fraud functions traditionally share little information, despite the frequently overlapping bad actors they are defending against. The order’s directive could be a catalyst for banks or their examiners to push removing those barriers, at least so AML and cyber fraud work more closely together.

“This may not be a huge lift, but it could quite possibly lead to re-organization, possibly convergence, among those units within banks,” La Huis says.

Other provisions could affect mainly smaller banks, with $10 billion in assets or less. Section 7, for example, requires the federal government to take all possible steps to detect early on the cybersecurity vulnerabilities and incidents in its networks, while Section 8 calls for the government to improve its investigative and remediation capabilities.

In both those instances, La Huis says, smaller banks with fewer resources have been slower to adopt comparable measures in their own institutions, and examiners may inquire about their plans.

Section 6 requires the government establish a board to review and assess the impact of significant cyber incidents impacting the federal government. If such breaches involve a private-sector firm such as Solar Winds, which government contracts, it raises the issue of what data the board should be privy to. One of the next ambitious steps the Biden administration alludes to in its fact sheet may address that issue.

Private companies, including banks, tend to hold that information close to the vest, given the reputational damage it could cause. However, the topic has been discussed candidly in recent security-related conferences, Kelly says. While government officials participating in panels have declined to express views one way or the other, “they’ve made it clear there are challenges we continue to encounter without having mandatory breach reporting.”

John Hintze is a frequent contributor to ABA Risk and Compliance.

Tags: CybersecurityData breachesFraudRisk management
ShareTweetPin

Related Posts

New task force to tackle financial fraud, scams

Survey finds most U.S. adults were scammed in 2025

Compliance and Risk
July 8, 2026

More than two in three adults report they were personally scammed last year, with those scams costing an estimated $68 billion, or four times what was reported to federal authorities, according to a new survey by the Stop...

ABA, BPI support proposed process to create drone no-fly zones

ABA, BPI support proposed process to create drone no-fly zones

Cybersecurity
July 7, 2026

In a joint letter to the FAA, ABA and BPI said that unauthorized unmanned aircraft activity near financial institution sites can create “obvious and legitimate risk” to physical security as well as cybersecurity, as the technology can be...

How to Talk About Your Bank’s Fintech Collaborations

The trust dividend

Technology
July 7, 2026

How regulatory and consumer expectations are shifting how partner banks compete for fintech deposits.

FCC grants ABA-requested extension of ‘revoke all’ rule’s effective date

ABA joins with consumer rights group to protect fraud alerts

Compliance and Risk
July 1, 2026

ABA joined with the National Consumer Law Center and ACA International in proposing to the FCC a rewrite of the “revoke all” rule. The rule is set to take effect on January 31, 2027, but the FCC is...

A close call with fraud

ABA Fraudcast: Defending customers from wire fraud

Compliance and Risk
July 1, 2026

'It's asking questions like: Have you been coached? Is someone telling you to do this? Is this going into an account that you opened or authorized to be opened?'

Republican lawmakers urge Trump officials to preserve CDFI Fund

House committee advances ABA-backed bills on fair credit liability, check fraud

Compliance and Risk
June 30, 2026

The House Financial Services Committee advanced legislation that would align Fair Credit Reporting Act liability with other financial consumer protection laws, reform the Securities and Exchange Commission and give banks more time to verify suspicious checks. The three...

NEWSBYTES

Survey finds most U.S. adults were scammed in 2025

July 8, 2026

ABA urges lawmakers to restore limited NOL carryback option

July 8, 2026

Consumer credit was unchanged in May

July 8, 2026

SPONSORED CONTENT

Why Your Systems Keep Slowing Down — and What to Do About It

Examiners Are Now Looking at Your Non-Core Systems

June 11, 2026
Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

Your Floorplan Audit and Your Credit Decision Are Weeks Apart. That Gap Has a Price.

June 1, 2026
A Modern Blueprint for Serving High-Net-Worth Families

A Modern Blueprint for Serving High-Net-Worth Families

May 28, 2026
Why Your Systems Keep Slowing Down — and What to Do About It

AI Is in Your Bank. Is Your Cloud Contract Governing It?

May 20, 2026

PODCASTS

Podcast: Understanding the 2025 Home Mortgage Disclosure Act data

July 8, 2026

Podcast: Financing America’s independence

June 29, 2026

Podcast: Talent and innovation in community banking

June 18, 2026

American Bankers Association
1333 New Hampshire Ave NW
Washington, DC 20036
1-800-BANKERS (800-226-5377)
www.aba.com
About ABA
Privacy Policy
Contact ABA

ABA Banking Journal
About ABA Banking Journal
Media Kit
Advertising
Subscribe

© 2026 American Bankers Association. All rights reserved.

No Result
View All Result
  • Topics
    • Ag Banking
    • Commercial Lending
    • Community Banking
    • Compliance and Risk
    • Cybersecurity
    • Economy
    • Human Resources
    • Insurance
    • Legal
    • Mortgage
    • Mutual Funds
    • Payments
    • Policy
    • Retail and Marketing
    • Tax and Accounting
    • Technology
    • Wealth Management
  • Newsbytes
  • Podcasts
  • Magazine
    • Subscribe
    • Advertise
    • Magazine Archive
    • Newsletter Archive
    • Podcast Archive
    • Sponsored Content Archive

© 2026 American Bankers Association. All rights reserved.