The news: The US House of Representatives is considering legislation to force banks and other companies handling critical infrastructure to report cybersecurity incidents and ransomware payments. The US Senate passed the bipartisan measure last week.
What will banks need to do? If passed, the legislation would require banks to report:
The bill calls for a rulemaking process to determine which companies must comply and which types of cybersecurity incidents would be covered.
CISA’s director would be allowed to issue subpoenas to compel non-compliant companies to cooperate. The director could get the US attorney general involved for civil action if banks failed to comply with the subpoenas.
How we got here: The mandates are part of the Strengthening American Cybersecurity Act, spearheaded in the Senate by Sens. Gary Peters (D-Michigan) and Rob Portman (R-Ohio), the chairman and ranking member of the body’s Homeland Security and Governmental Affairs Committee, respectively.
The legislation was introduced last month amid concerns that the Russian government could conduct cyberattacks retaliating for the US supporting Ukraine.
The bigger picture: The measure follows a rule that three banking regulators adopted in November 2021, which forces banks to report significant cybersecurity incidents to their primary regulator within 36 hours after determining that they happened.
While the two requirements appear to overlap, they serve different purposes, the Bank Policy Institute’s Heather Hogsett told American Banker.
The big takeaway: The pending legislation will help combat rising cybersecurity incidents against banks, which is critical to maintaining digital trust with consumers—a key competitive advantage in which banks have an edge over nonbanks.