Proposed New Data Security Rules Could Prove Duplicative, Forcing Banks to Turn Over Dangerous Amounts of Secured Data By Troutman Pepper

By: Susan Flint, Kim Phan, and Mary Zinsner 

An amendment to the National Defense Authorization Act passed by the House in July would create a “systemically important entity” designation, applying new regulations and offering priority aid to certain critical infrastructure companies. But the American Bankers Association and Bank Policy Institute say the amendment as applied to financial institutions would duplicate existing regulations under the Dodd-Frank Act, while also requiring the turnover of a substantial amount of cybersecurity-related data that could prove dangerous in the wrong hands. 

The amendment introduced by Congressman Jim Langevin (D-RI), chairman of the House Armed Services Committee’s Subcommittee on Cyber, Innovative Technologies, and Information Systems, focuses on those private sector entities whose core functions are of national consequence to the United States, a definition which would encompass some of the largest companies in the nation’s banking industry. 

Explaining the reasoning behind the amendment, Congressman Langevin said, “After all, these entities are particular focal points of leverage to our adversaries — if any of them falls victim to a cyberattack, the entire country is in store for a very bad day. Creating a partnership wherein systemically important entities receive greater support from the federal government to defend their networks, without overburdensome regulation, will enhance our nation’s collective security.” 

But financial industry trade groups say the amendment — which would require covered entities to promptly establish contact with federal authorities and ascertain the need for incident response in the event of a cyberattack — is duplicative since financial institutions are already subject to extensive cybersecurity risk management and incident reporting frameworks imposed by other regulators. Moreover, the proposed amendment would require banks to turn over details about their software vendors and other risks to their supply chains that could prove dangerous if that data were to be stolen from the government in a cyberattack. 

“While some critical infrastructure sectors are not captured by similar designation programs and may warrant additional oversight, financial institutions are already subject to extensive cybersecurity risk management and incident reporting frameworks that require reviews of security controls and data protection measures, the security of vendors and suppliers, governance processes, and incident notification and reporting,” the associations said. “Adding yet another layer of reporting to a different set of agencies with different standards would detract significantly from financial institutions’ essential work defending against cyber threats.” 

Within the coming year, the Department of Homeland Security must establish criteria and procedures for identifying and designating entities as systemically important, as well as establishing within two years what reporting requirements will be imposed on these systemically important entities. There is also a provision in the amendment, which instructs the Department of Homeland Security to coordinate with other federal agencies already responsible for regulating systemically important entities, to determine whether any existing reporting rules should be a basis to exempt such companies from parts of the new requirements. 

Troutman Pepper will continue to monitor important developments involving cybersecurity implications to financial institutions of the National Defense Authorization Act and will provide further updates as they become available. 

Troutman Pepper supports the mission of The Cyber Guild to continually advance cybersecurity, by attracting diversity to all levels of the industry, unifying allies across the private and public sector and ensuring opportunities are as universal as talent. 

Susan Flint is a partner in the Troutman Pepper’s Consumer Financial Services practice with more than 25 years of experience leading teams responsible for litigation and regulatory enforcement matters. She specializes in issues arising in the financial services industry and has experience representing and providing general and specific legal advice and support for high risk litigation and regulatory issues. Susan has extensive experience defending banking clients in multiple areas including retail and small business banking, complex commercial litigation and third party vendor issues. 

Kim Phan is a partner in Troutman Pepper’s Privacy + Cyber practice. A privacy and data security lawyer, Kim assists companies with data breach prevention and response, including establishing effective security programs prior to a data breach and the assessment of breach response obligations following a breach. She is based in Washington, D.C., and frequently writes and speaks about privacy and data security issues for a variety of industries, including consumer financial services, retail, hospitality, higher education, and utilities. 

Mary Zinsner is a trial and appellate lawyer, focusing on litigation and strategy in lender liability, the Uniform Commercial Code, bank operation, class action, consumer finance defense, fiduciary matters and creditors’ rights disputes. She has broad experience in commercial property disputes, business tort, intellectual property, identity theft and privacy matters. Mary regularly represents clients in matters pertaining to trade secret theft, covenants not to compete, and other sensitive corporate disputes.