BITS Statement on the Administration’s Revised Critical Infrastructure Policy

Washington, D.C. – The Administration issued a National Security Memorandum on Critical Infrastructure Security and Resilience today, updating Presidential Policy Directive 21 (PPD 21), which establishes a uniform national policy for identifying and mitigating threats to U.S. critical infrastructure. The policy applies to all government agencies and is intended to protect the 16 critical infrastructure sectors – including financial services – that are considered most vital to our national security and economic interests.

What We’re Saying:

Heather Hogsett, BPI senior vice president, technology and risk strategy for BITS, stated:

“BPI strongly supports the National Security Memorandum and commends the Administration for its ongoing commitment to strong public-private partnerships. The memorandum builds on effective approaches to strengthening security and resilience and recognizes that critical infrastructure entities are the first line of defense against nation-state attacks and cybercriminals. It will also support the financial sector by enhancing collaboration with national security agencies to ensure the intelligence community collects, analyzes and disseminates timely information on threats to critical infrastructure to support national-level systemic risk mitigation. We look forward to continued collaboration with Treasury, CISA and the Administration to ensure the memorandum’s successful implementation.”

What Has Changed?

  • Treasury remains the primary cybersecurity point of contact for banks. The memorandum updates the roles and responsibilities of federal agencies and helps to clear up potential redundancies between CISA, Treasury and the prudential banking regulators.
  • CISA is responsible for cross-sector risk mitigation efforts. Information sharing and collaboration between sectors of the economy help to prioritize preparedness and response activities and can minimize contagion during an incident. Emphasizing this as a top priority for CISA will help drive progress.
  • The intelligence community will play a bigger role in critical infrastructure protection. The directive will require the intelligence agencies to prioritize critical infrastructure protection in internal policies, annual budgets and planning efforts so that the private sector receives timely and actionable threat information.
  • Rules for how systemically important entities are designated will change. Banks are already subject to the systemically important financial institution (SIFI) designation as well as other designations from past executive orders. These changes will better align risk designations to avoid duplication and ensure they are tailored to the risks facing financial institutions. The new “systemically important entity” designation will help identify and prioritize national systemic risks across all sectors of the economy and Treasury will have direct input into these designations on behalf of the financial services sector.

Additional Background:

PPD-21 was first established in 2013 under the Obama Administration. These changes would mark the first major update to U.S. critical infrastructure policy in over a decade.


About Bank Policy Institute.

The Bank Policy Institute (BPI) is a nonpartisan public policy, research and advocacy group, representing the nation’s leading banks and their customers. Our members include universal banks, regional banks and the major foreign banks doing business in the United States. Collectively, they employ almost 2 million Americans, make nearly half of the nation’s small business loans, and are an engine for financial innovation and economic growth.

Media Contact

Austin Anton
Bank Policy Institute

Media Inquiry

  • This field is for validation purposes and should be left unchanged.