As the Senate considers the 2023 National Defense Authorization Act, the American Bankers Association and the Bank Policy Institute urged lawmakers to omit language that would create a designation for “systemically important entities,” including large banks, for the purposes of assessing risks to critical infrastructure entities. The provision, which was included as an amendment to the House-passed version of the bill, would also allow the Cybersecurity and Infrastructure Agency to accept reports from regulators.
The groups noted that it would duplicate existing efforts to monitor cybersecurity risk at these firms, and that banks are already subject to designation as systemically important financial institutions under the Dodd-Frank Act and required to adopt enhanced measures for security and resilience. They also pointed out that sharing sensitive information with CISA could increase risk to firms, among other things.
“While some critical infrastructure sectors are not captured by similar designation programs and may warrant additional oversight, financial institutions are already subject to extensive cybersecurity risk management and incident reporting frameworks that require reviews of security controls and data protection measures, the security of vendors and suppliers, governance processes, and incident notification and reporting,” the associations said. “Adding yet another layer of reporting to a different set of agencies with different standards would detract significantly from financial institutions’ essential work defending against cyber threats.”