The Administration’s proposal would create a single, national cybersecurity and data breach notification standard, which many companies say will make compliance easier. Not so for financial firms, however. The majority of existing state statutes exempt financial firms, leaving the industry to be governed by its own best practices and agency guidance.
Under the proposal, many financial firms will be designated covered critical infrastructure, and thus subject to additional regulations and oversight in the interest of protecting national economic security. These entities will be required to establish and submit cybersecurity and risk mitigation plans, and will be subject to period evaluations by the Department of Homeland Security (DHS).
The financial services industry has come out largely in support of the measure, saying that a national standard will simplify compliance and codify the efforts that financial firms are already making, though it has called for more sector-specific regulation by individual agencies, rather than by DHS. House Republicans have come out strongly against the proposal.
During a hearing last month, House Judiciary Subcommittee on Intellectual Property, Competition, and the Internet Chairman Bob Goodlatte (R-VA) said mandatory federal standards are unrealistic given how quickly technology advances and cybersecurity needs change. Rep. Darrell Issa (R-CA) expressed concerns that the “voluntary” information-sharing described in the bill isn’t truly voluntary when the federal government has the ability to “make life miserable for private-sector companies.”
The Administration counters that the proposal takes a “light touch” when regulating privately-owned critical infrastructure. Senate Republicans have yet to weigh in, and it is unclear how active they will be on this issue, when not a single Republican