WASHINGTON — Concerns are mounting about the inclusion of eleventh-hour language into a Senate cybersecurity bill that could prompt new rules for financial institutions.
The Cybersecurity Information Sharing Act cleared the Senate 74-21 after several days of debate on the chamber floor. The measure is intended to make it easier for the private sector and government to share information about potential cyber attacks, though privacy advocates have continued to warn that it will erode consumer protections.
Bankers have been pushing hard for the bill for several years, and largely lauded the successful vote. Still, last-minute language by Sen. Susan Collins, R-Maine — added to the manager's amendment to the legislation last week — is giving some in the industry pause.
The Collins provision, known as section 407, would require the Department of Homeland Security to assess the risk level of firms — including some banks — designated as critical infrastructure entities, and develop a strategy for mitigating the risk of future attacks.
"The section 407 language would require DHS to develop procedures that could turn into regulation when it comes to reporting cyber attacks," said Dave Oxner, managing director of federal government relations at the Securities Industry and Financial Markets Association. "That almost immediately begins to look like mandatory reporting and that couldn't be further away from the intention of CISA, which is based on voluntary reporting."
Industry representatives said the banking industry will be pushing hard to remove the provision from final legislation before it's signed into law. The Senate is set to negotiate with the House, which passed two related cybersecurity bills this past spring. Banking officials are hoping to have more clarity around how the two chambers will reconcile the differences in the legislation in coming days and weeks. The White House endorsed the bill last week ahead of the vote, though it raised concerns with several provisions.
It's not yet clear if lawmakers will organize a formal conference or attempt to work out a deal behind the scenes. The various proposals share much in common, though lawmakers still have to hash out a number of thorny details, including which agency will oversee the program and exactly how personal information is stripped out before data is shared.
Given the bill's strong vote on the Senate floor, "we hope that's a good precursor for something to be done before the end of the year," said James Ballentine, executive vice president of congressional relations and political affairs at the American Bankers Association.
Although the bill saw relatively little pushback leading up to Tuesday's vote, the legislative approach is several years in the making. Sens. Richard Burr, R-N.C., and Diane Feinstein, D-Calif., the lead authors on the bill, faced several false starts earlier this year as they moved the proposal from the Intelligence Committee to the floor.
"The breaches have really piled up since 2012 while they've been considering the measure, and it's clear that the Senate believed that they need to do something," said Nathan Taylor, a partner at Morrison Foerster.
The proposal is important for the industry because it includes certain protections from the threat of lawsuits and Freedom of Information Act requests for those sharing information.
"What this bill does is it makes absolutely clear that, notwithstanding any other law, you can share cyberthreat data for security purposes with third parties and the federal government," Taylor added. "If a company is considering sharing information, this should make the general counsel's job of reviewing the legal implications of sharing a lot easier."