It seems as if every day there is a new report of a data breach or cyber attack. For the same reason that Willie Sutton robbed banks — “because that’s where the money is” — cyber criminals have been incessant in their targeting of financial institutions. So it should come as no surprise that in an October 19, 2015, letter to Senate Majority Leader Mitch McConnell (R-KY) and Minority Leader Harry Reid (D-NV), the Securities Industry and Financial Markets Association (SIFMA) strongly urged the Senate to adopt the Cybersecurity Information Sharing Act of 2015 (CISA).
The bill appears slated to hit the Senate floor in the coming days. If enacted, CISA will significantly streamline the ability of private businesses to share emerging cybersecurity threats (cyber threat indicators) and responses thereto (defensive measures) with the federal government. This collaboration is intended to improve cybersecurity in the U.S. by making companies better informed about the warning signs of a cyber attack so they can more readily identify future attacks and, in the event of an attack, be prepared to take timely actions to ensure safeguarding of their data.
SIFMA is joined by the Financial Markets Association and at least 14 other financial services trade groups in supporting the enactment of CISA. SIFMA’s letter cites the bona fide risk of a successful cyber attack and the resulting significant impact on the U.S. economy and across the globe in arguing that CISA “will help the financial services industry to better protect our systems and data as well as the privacy of our customers.” However, the bill is not without its detractors, with several well-known technology companies and privacy groups objecting on privacy grounds.
Who will ultimately prevail in this installment of the never-ending balancing act between security and privacy is not yet known. There’s an amendment floating around that’s very popular with companies, but is probably a nonstarter with the Obama administration. It will be considered in the coming days and could ultimately determine the fate of the legislation. Further, recall that the House passed its own version of an information sharing bill over the summer, so if CISA passes the Senate, it’s likely that the House will substitute its own version for it and we’ll be headed to conference and reconciliation.
Regardless of what CISA’s future may be, cyber attacks directed at financial institutions are sure to continue. As a result, so, too, will the need for financial institutions and other entities to proactively identify solutions to better protect their systems, data and customer information.