President Biden today signed a national security memorandum launching what the White House characterized as a comprehensive effort to protect U.S. infrastructure against all threats and hazards. Among other things, the memo directs federal, state and local governments to prioritize establishing minimum requirements for risk management, including requirements that address specific industry sector risks and cross-sector risks. It also keeps the Treasury Department as the agency coordinating risk management efforts in the financial sector.
The memo replaces a decade-old presidential policy document on protecting critical infrastructure. The Department of Homeland Security will lead the effort, with the Cybersecurity and Infrastructure Security Agency acting as coordinator between the various agencies overseeing the federal government’s designated 16 critical infrastructure sectors.
In terms of regulatory requirements, the policy said that rules adopted by all federal, state and local governments should leverage existing guidance when applicable. “Regulatory frameworks should be risk- and performance-based when feasible; informed by existing requirements, standards and guidelines; aligned to reduce unnecessary duplication; complementary to voluntary public-private collaboration; and scalable and adaptable to an evolving risk environment,” the memo states. “Requiring and enforcing minimum resilience and security requirements and recommendations that direct building resilience into critical infrastructure assets and systems upfront, and by design, shall be a primary responsibility of the federal government.”
Paul Benda, EVP of risk, fraud and cybersecurity at the American Bankers Association and vice chair of the Financial Services Sector Coordinating Council, said the updated directive reaffirms Treasury’s important role and builds on the successful public-private sector collaboration for cybersecurity and critical infrastructure.
“It also updates the rules for how ‘systemically important entities’ are designated, allowing the U.S. government to better identify and prioritize national systemic risks across all sectors of the economy,” Benda said. “These changes will better align risk designations to avoid duplication and ensure they are tailored to the risks facing financial institutions today.”
