WASHINGTON Treasury Secretary Jack Lew, head of the Financial Stability Oversight Council, renewed calls on Monday for Congress to pass legislation that would help address ongoing cybersecurity threats to financial institutions.
"We need legislation," Lew said during a public FSOC meeting. "Some of the sharing goes beyond what we can do through the executive order. We are trying to work at the limit of what the executive order permits."
Although President Obama issued an executive order in February designed to help information sharing between the government and private companies like banks, many regulators have said it does not go far enough.
During the meeting, Cyrus Amir-Mokri, an assistant secretary at the Treasury, said the order cannot "be a substitute for cybersecurity legislation."
"The administration hopes to work with Congress to ensure our laws keep pace with the evolving threats while protecting privacy and civil liberties," he said.
The House passed a bill in April that would immunize companies from legal liability for sharing cyber threat information. Though the measure had the backing of the Chamber of Commerce and other business groups, the White House threatened to veto the bill, saying it did too little to protect online privacy.
The Senate has also wrestled the issue, with many in the industry opposing a proposed bill because they feared it would only add on more regulatory mandates.
Regulators, meanwhile, have become more focused on cybersecurity.
In June, Comptroller of the Currency Thomas Curry established an interagency task force of financial regulators as head of the Federal Financial Institutions Examination Council to closely examine the cybersecurity issue and figure out how to improve information sharing among both state and federal regulators.
"Cybersecurity is an ongoing issue that demands close coordination and partnership among all of the agencies and various private sectors including the critical role in the link of the telecommunication sector and various financial market utilities," Curry said at the FSOC meeting.
U.S. banks have been the target of a series of coordinated distributed denial-of-service attacks against their public Web sites since 2012. Regulators have become increasingly worried that with new products offered online, including through mobile phones and over social media, financial institutions will face even more advanced cyberattacks.
The Treasury Department and financial regulators have already been working to help facilitate information sharing between the government and the financial services sector in response to such attacks.
The issue was among several emerging threats the FSOC named in its annual report this year. Cyberattacks, they argued, could have consequences on financial institutions' operations and efficiency if they wind up disrupting, degrading, or harming the integrity of critical financial infrastructures.
"Financial regulators should continue to review and update their examination policies and guidance for information security in light of the evolving threat environment," the 10-member voting council wrote in its 2013 annual report.
Amir-Mokri, in his presentation to the council, laid out current efforts being undertaken by regulators to address the issue, stressing the importance of working with private institutions in meeting targeted threats to the financial system.
"Cybersecurity is a complex subject," Amir-Mokri said. "Given the nature of the threat and its potential sources, it can be addressed only through a whole-of-government approach combined with a strong public-private partnership."
Regulators have been working steadily to execute the president's directive calling on agencies and departments to work with the private sector to take steps to protect the nation against cyber threats.
For now, financial regulators have been providing guidance to banks regarding "appropriate governance mechanisms, information security procedures and testing, adequate backup system, and emergency business continuity and recovery plans," Amir-Mokri said.
But Kelly King, chief executive of BB&T, who also presented at the meeting, said more was needed. He called on regulators to provide additional support to the industry in such efforts.
"We need help in terms ensuring that the private sector and key government agencies are really cooperating," King said. "We need to have more coordinated information coming from the intelligence agencies through Treasury to the industry to be able to use and effectively mitigate these efforts. We need help in terms of declassifying more information so that the information can be gotten to the banks on a more timely basis."
King also expressed continued support to pursue cybersecurity legislation.
"We need to particularly focus on information sharing that provides liability protection for good-faith information sharing," he said. "We have today some real limitations from a legal point of view in terms of the banks being able to work together to share information and that needs to be clarified legislatively."