Dear Chairman Peters, Ranking Member Portman, Chairman Thompson, Ranking Member Katko, Chairman Warner, Ranking Member Rubio, Chairman Schiff, Ranking Member Nunes, Chairman Brown, Ranking Member Toomey, Chairman Waters and Ranking Member McHenry:
As Congress considers ways to address our nation’s cybersecurity challenges, we strongly encourage an open and transparent legislative process that allows for input and discussion among interested parties, especially for policies advocated by the Cyberspace Solarium Commission (Commission) to create new designation and reporting requirements for “Systemically Important Critical Infrastructure” (SICI). This proposal requires careful consideration and must account for and coordinate with heavily regulated financial services institutions already subject to cybersecurity requirements.
As one of the few critical infrastructure sectors that has complied with rigorous regulatory requirements for the security and resilience of its operations for over 20 years—including the cybersecurity practices of its vendors, suppliers, and business affiliates—the prospect of encouraging other sectors to improve their cybersecurity is a welcome proposition. However, Commission recommendations that add new oversight from the Department of Homeland Security to set mandatory cybersecurity performance standards fail to recognize that the financial sector already has a complicated myriad of requirements through state and federal banking regulators. New proposals for cybersecurity must recognize existing legal and regulatory requirements to ensure front-line cyber defenders can continue to focus on security threats rather than growing reporting and compliance requirements.
Financial institutions meet daily challenges from nation-state actors and cyber criminals and devote significant resources to cybersecurity and collaboration with government partners to protect our financial system and the customers we serve. Firms have made significant investments individually and collectively through organizations like the Financial Services Information Sharing and Analysis Center, the Financial Services Sector Coordinating Council, and the Analysis and Resilience Center—groups that work to improve information sharing and readiness between sectors. We would welcome a deeper discussion with policymakers on how the public-private partnership can be improved and how the federal government could focus resources to provide more meaningful support to these efforts. For example, the 2020 report by the Cyberspace Solarium Commission recommends intelligence support to the private sector and a structure for operational collaboration (recommendations 5.1.1 and 5.1.2). We believe steps like this would shift the nation’s current approach from reacting after an incident has already occurred to more proactive threat mitigation and prevention. The ability to leverage the intelligence community’s foreign threat collection, analysis and early warning capabilities would provide meaningful support to the nation’s most critical infrastructure. Thank you for your leadership on these important issues. We look forward to working with you to address the myriad of existing cybersecurity requirements and best practices that banks and other financial institutions adhere to as Congress works to improve critical infrastructure protection and strengthen collaborative efforts between the public and private sectors.
American Bankers Association
Bank Policy Institute
Consumer Bankers Association
Financial Services Forum
Securities Industry and Financial Markets Association