New Cybersecurity Law Should Complement Existing Regs: Bank Lobbyists

The U.S. government's push to fortify the nation's cyber defenses should complement industry efforts, bank and credit union lobbying groups are expected to tell Congress on Tuesday.

Financial networks are already subject to significant laws, regulations and standards that tie to cybersecurity, the American Bankers Association said in testimony prepared for a hearing before the House Energy and Commerce Committee.

The hearing, at which the panel is expected to take testimony from the financial, energy, telecommunications and defense industries, comes amid a push by the White House for a voluntary system that would encourage sharing of information about pending threats among the government and owners of critical infrastructure. The hearing also follows a report Sunday that hackers backed by China's military have resumed a campaign of cyberattacks on American businesses.

An order issued by President Obama in February gave the National Institute of Standards and Technology eight months to delineate a preliminary information-sharing framework.

"ABA believes it is particularly important that NIST's efforts…complement and build upon existing cybersecurity standards adopted by the U.S. financial services industry," Charles Blauner, Citigroup's (NYSE:C) global head of information security, wrote in prepared testimony on behalf of the trade group.

The ABA supports both the Obama administration's development of the framework and the Cyber Intelligence Sharing and Protection Act, or CISPA, a bill the House passed in April that would authorize U.S. intelligence agencies to share cyber threats with private-sector firms, according to Blauner, who also chairs the Financial Services Sector Coordinating Council.

The council's members include JPMorgan Chase (JPM), Bank of America (BAC), Wells Fargo (WFC), Fannie Mae, Freddie Mac, MasterCard (MA), PayPal, Visa (NYSE:V) and roughly 48 other companies, associations and exchanges.

The National Association of Federal Credit Unions, which also belongs to the council, urged the committee separately on Monday to shield credit unions from some of the costs of data breaches such as those that occurred in 2011 when thieves stole credit card information from retailer Michael's Stores and Sony.

"It is the credit union or other financial institution that must notify its account holders, issue new cards, replenish stolen funds, change account numbers and accommodate increased customer service demands that inevitably follow a major data breach," Dan Berger, NAFCU's head of government affairs, wrote in a letter to the committee. "The negligent entity that caused these expenses by failing to protect consumer data loses nothing and is often undisclosed to the consumer."

The ABA urged the committee to let each industry spearhead development of a framework that makes sense for its members.

"We strongly recommend that each sector coordinating council take the lead in developing a framework that is specific to that sector so that critical infrastructure can be identified in a manner that is repeatable, transparent and predictable," wrote Blauner.

Blauner added that the framework should build upon current regulatory oversight and avoid duplicative audits, as well as include incentives "compelling enough to affect corporate investment behavior."

The framework also will demand trust, said Blauner, who noted that the ABA, the council and the Financial Service Information Sharing and Analysis Center, or FS-ISAC, have worked to promote trust among financial services firms, regulators, law enforcement and intelligence agencies.

"Trust cannot be legislated, trust must be earned and we cannot afford to do anything that damages the levels of trust that have already been established," Blauner wrote.