As the Senate considers the 2023 National Defense Authorization Act, the American Bankers Association and the Bank Policy Institute urged lawmakers to omit language that would create a designation for “systemically important entities,” including large banks, for the purposes of assessing risks to critical infrastructure entities. The provision, which was included as an amendment to the House-passed version of the bill, would also allow the Cybersecurity and Infrastructure Agency to accept reports from regulators.
The groups noted that it would duplicate existing efforts to monitor cybersecurity risk at these firms, and that banks are already subject to designation as systemically important financial institutions under the Dodd-Frank Act and required to adopt enhanced measures for security and resilience. They also pointed out that sharing sensitive information with CISA could increase risk to firms, among other things.
“While some critical infrastructure sectors are not captured by similar designation programs and may warrant additional oversight, financial institutions are already subject to extensive cybersecurity risk management and incident reporting…
