[Congressional Record Volume 166, Number 7 (Monday, January 13, 2020)]
[House]
[Pages H195-H198]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




       CYBERSECURITY AND FINANCIAL SYSTEM RESILIENCE ACT OF 2019

  Ms. WATERS. Madam Speaker, I move to suspend the rules and pass the 
bill (H.R. 4458) to require the Board of Governors of the Federal 
Reserve System to issue reports on cybersecurity with respect to the 
functions of the Federal Reserve System, and for other purposes, as 
amended.
  The Clerk read the title of the bill.
  The text of the bill is as follows:

                               H.R. 4458

       Be it enacted by the Senate and House of Representatives of 
     the United States of America in Congress assembled,

     SECTION 1. SHORT TITLE.

       This Act may be cited as the ``Cybersecurity and Financial 
     System Resilience Act of 2019''.

     SEC. 2. CYBERSECURITY AND FINANCIAL SYSTEM RESILIENCE REPORT.

       (a) In General.--Not later than the end of the 180-day 
     period beginning on the date of

[[Page H196]]

     enactment of this Act, and annually thereafter, each banking 
     regulator shall submit a report to the Committee on Financial 
     Services of the House of Representatives and the Committee on 
     Banking, Housing, and Urban Affairs of the Senate that 
     provides a detailed explanation of measures undertaken to 
     strengthen cybersecurity with respect to the functions of the 
     regulator, including the supervision and regulation of 
     financial institutions and, where applicable, third-party 
     service providers. Each such report shall specifically 
     include a detailed analysis of--
       (1) policies and procedures (including those described 
     under section 3554(b) of title 44, United States Code) that 
     guard against--
       (A) efforts to deny access to or degrade, disrupt, or 
     destroy any information and communications technology system 
     or network, or exfiltrate information from such a system or 
     network without authorization;
       (B) destructive malware attacks;
       (C) denial of service activities; and
       (D) any other efforts that may threaten the functions of 
     the banking regulator or entities overseen by the regulator 
     by undermining cybersecurity and the resilience of the 
     financial system;
       (2) activities to ensure the effective implementation of 
     policies and procedures described under paragraph (1), 
     including--
       (A) the appointment of qualified staff, the provision of 
     staff training, the use of accountability measures to support 
     staff performance, and the designation, if any, of senior 
     appointed leadership to strengthen accountability for 
     oversight of cybersecurity measures;
       (B) deployment of adequate resources and technologies;
       (C) efforts to respond to cybersecurity-related findings 
     and recommendations of the Inspector General of the banking 
     regulator or the independent evaluation described under 
     section 3555 of title 42, United States Code; and
       (D) as appropriate, efforts to strengthen cybersecurity in 
     coordination with other Federal departments and agencies, 
     domestic and foreign financial institutions, and other 
     partners, including the development and dissemination of best 
     practices regarding cybersecurity and the sharing of threat 
     information; and
       (3) any current or emerging threats that are likely to pose 
     a risk to the resilience of the financial system.
       (b) Form of Report.--The report required under subsection 
     (a) shall be submitted in unclassified form, but may include 
     a classified annex, if appropriate.
       (c) Congressional Briefing.--Upon request, the head of each 
     banking regulator shall provide a detailed briefing to the 
     appropriate Members of Congress on each report submitted 
     pursuant to subsection (a), except--
       (1) the Chairman of the Board of Governors of the Federal 
     Reserve System may designate another member of the Board of 
     Governors of the Federal Reserve System to provide such 
     briefing;
       (2) the Chairperson of the Federal Deposit Insurance 
     Corporation may designate another member of the Board of 
     Directors of the Corporation to provide such briefing; and
       (3) the Chairman of the National Credit Union 
     Administration may designate another member of the National 
     Credit Union Administration Board to provide such briefing.
       (d) Definitions.--For the purposes of this Act:
       (1) Appropriate members of congress.--The term 
     ``appropriate Members of Congress'' means the following:
       (A) The Chairman and Ranking Member of the Committee on 
     Financial Services of the House of Representatives.
       (B) The Chairman and Ranking Member of the Committee on 
     Banking, Housing, and Urban Affairs of the Senate.
       (2) Banking regulator.--The term ``banking regulator'' 
     means the Board of Governors of the Federal Reserve System, 
     the Comptroller of the Currency, the Federal Deposit 
     Insurance Corporation, and the National Credit Union 
     Administration.
       (3) Senior appointed leadership.--With respect to a banking 
     regulator, the term ``senior appointed leadership'' means a 
     position that requires Senate confirmation.
       (e) Sunset.--The provisions of this Act shall have no force 
     or effect on or after the date that is 7 years after the date 
     of enactment of this Act.

     SEC. 3. DETERMINATION OF BUDGETARY EFFECTS.

       The budgetary effects of this Act, for the purpose of 
     complying with the Statutory Pay-As-You-Go Act of 2010, shall 
     be determined by reference to the latest statement titled 
     ``Budgetary Effects of PAYGO Legislation'' for this Act, 
     submitted for printing in the Congressional Record by the 
     Chairman of the House Budget Committee, provided that such 
     statement has been submitted prior to the vote on passage.

  The SPEAKER pro tempore. Pursuant to the rule, the gentlewoman from 
California (Ms. Waters) and the gentleman from North Carolina (Mr. 
McHenry) each will control 20 minutes.
  The Chair recognizes the gentlewoman from California.


                             General Leave

  Ms. WATERS. Madam Speaker, I ask unanimous consent that all Members 
may have 5 legislative days within which to revise and extend their 
remarks on this legislation and to insert extraneous material thereon.
  The SPEAKER pro tempore. Is there objection to the request of the 
gentlewoman from California?
  There was no objection.
  Ms. WATERS. Madam Speaker, I yield myself such time as I may consume.
  Madam Speaker, I rise in support of H.R. 4458, the Cybersecurity and 
Financial System Resilience Act, which is sponsored by the ranking 
member of the Financial Services Committee, Mr. McHenry.
  H.R. 4458 would require the prudential regulators, specifically the 
Federal Reserve, FDIC, OCC, NCUA, to each issue an annual report to 
Congress describing measures the respective agency has taken to 
strengthen cybersecurity. The report must include steps each agency is 
taking to address any cybersecurity concerns identified by the annual 
independent evaluations conducted under the Federal Information 
Security Modernization Act of 2014. The bill sunsets after 7 years.
  A wide range of regulators, including the Financial Stability 
Oversight Council, as well as experts and industrial stakeholders, have 
recognized cybersecurity is a key risk to our financial system and 
broader economy.
  As technology continues to rapidly change how financial products and 
services are delivered, it is important that regulators are ensuring 
financial institutions, including their third-party service providers, 
such as cloud service providers, have in place robust cyber policies 
and practices to help protect against cybersecurity incidents that 
could compromise sensitive consumer data.
  In addition, it is equally important that regulators themselves have 
their houses in order and that they are protecting their own 
information systems from cyberattacks. Indeed, many of our regulatory 
agencies already conduct ongoing cyber exercises to assess their 
cybersecurity systems. But as the threat of cyberattacks increase, 
there is an opportunity for Congress, as well as the public, to better 
understand how their personal data is being protected.
  Furthermore, these agencies also must have well-qualified 
cybersecurity experts on the job to help thwart potential cyberattacks 
that may be directed at these Federal agencies or the institutions they 
oversee.
  I appreciate that the ranking member worked with our side of the 
aisle to make important improvements to the bill before the committee 
marked it up. These changes include expanding the bill from the Federal 
Reserve to apply it to all Federal depository institution regulators, 
including the FDIC, OCC, and NCUA.
  The bill was also clarified so that the annual reporting includes how 
regulators supervise banks and credit unions, as well as their third-
party service providers, to mitigate cybersecurity risks.
  Madam Speaker, I urge Members to support this important legislation, 
and I reserve the balance of my time.
  Mr. McHENRY. Madam Speaker, I yield myself such time as I may 
consume.
  Madam Speaker, today, I begin by thanking Chairwoman Waters and her 
staff for working with my staff and me to bring this bill to the floor 
today and, indeed, making it a bipartisan outcome.
  It is a nice way to start a year. We started last year on the floor 
passing bipartisan bills, and from time to time, we have been able to 
do that over the last year. So I thank Chairwoman Waters for working 
with me where we can, but when we disagree in our committee, we are 
able to disagree and still have the capacity to talk to one another. I 
think that is a very special thing. Now, the rest of our politics, they 
are what they are, but it is good to celebrate when we have our 
bipartisan victories.
  Madam Speaker, the bill we have before us will ensure the government 
regulators are taking seriously the systemic risk that cybersecurity 
attacks pose to the global economy.
  For the first time, this legislation will require U.S. bank 
regulators--the Federal Reserve, the Office of the Comptroller of the 
Currency, the Federal Deposit Insurance Corporation,

[[Page H197]]

and the National Credit Union Administration--to provide Congress with 
a detailed analysis of what they are doing to protect against 
cyberattacks, both internally and in the entities they oversee.
  This includes the regulators' technical procedures, their operational 
policies to ensure accountability for cybersecurity at the highest 
management levels, their cooperation with domestic and foreign 
financial institutions, as well as their forecasts on emerging threats 
to the resilience of the financial system--important stuff.
  The need for this bill is clear. We have witnessed nearly half a 
billion data records exposed as a result of breaches in the private 
sector.
  We know that the world is digitizing. Our government is trying to 
keep pace, but the private sector is moving very quickly as we, as 
consumers, drive this move to greater digitization.
  Not surprisingly, one recent survey found that no less than two-
thirds of our large financial institutions had experienced an increase 
in cyberattacks over the previous year, with 79 percent of them 
concluding that hackers were becoming more sophisticated. Certainly, 
they are.
  At an April 2019 hearing of the Financial Services Committee, CEOs 
from five of America's seven largest banks cited cyberattacks as the 
foremost risk they face. Now, that is not productivity growth. It is 
not political upheaval overseas. It is not an economic slowdown in 
China or Europe. They ranked their highest concern as cybersecurity 
threats.

  In the private sector, they are not alone in this exposure. Last 
year, we saw ransomware attacks against Baltimore and three towns in 
Florida that forced local government operations to be suspended, in 
some cases jeopardizing basic public services.
  What would happen if hackers had that same success in a large attack 
that has systemic implications? Here is just one example.
  The Federal Reserve settles $35 billion in global payments in just 
the first hour of operations each business day. A cyberattack on the 
Fed that could be just partially successful would have and could have 
disastrous consequences. It is precisely the scale and 
interconnectedness of the financial sector that makes such scenarios so 
alarming.
  As the 2019 annual report of the Financial Stability Oversight 
Council explains: ``The increasing reliance of financial firms on 
information technology increases the risk that a cybersecurity event 
could have severe negative consequences for the U.S. economy, 
potentially impacting financial stability.'' True.
  The FSOC report goes on to say: ``The unique and complex threats 
posed by cyber risks require the public and private sectors to 
cooperate to identify, understand, and protect against these risks.''
  It is a new threat. It is a complex one. While I appreciate our 
regulators' growing sensitivity to cyber-related risks, we can and must 
do more.
  As the Fed acknowledged in its most recent financial stability 
report, cyber resiliency is a potential risk for financial stability 
that doesn't fit neatly into existing risk frameworks.

                              {time}  1800

  This bill will help our regulators, including the Fed, incorporate 
cybersecurity into those risk assessments more effectively.
  To be clear, Madam Speaker, the answer to cyber threats is not to 
return to some bygone, less technologically sophisticated age, 
something we can't do. On the contrary, ensuring the resiliency of the 
financial system means increasing vigilance and innovation. That means 
we need to have the best and brightest protecting our important 
institutions of government and the best and brightest protecting our 
important institutions in the private sector.
  It is a lack of technological sophistication in the public and 
private sectors that will offer an opening to attackers if we don't 
take this action, and that is why Congress needs to hold our regulators 
to the highest standards of accountability so that they will remain a 
step ahead of tomorrow's threats.
  Again, I want to thank my Democratic colleagues for working with us 
on this important measure, and I urge all Members to support its 
passage.
  Madam Speaker, I reserve the balance of my time.
  Ms. WATERS. Madam Speaker, I reserve the balance of my time.
  Mr. McHENRY. Madam Speaker, I yield myself the balance of my time.
  I include in the Record a letter from the Credit Union National 
Association in support of H.R. 4458 and a blog post by the 
International Monetary Fund which highlights the global threat of 
cybersecurity attacks and the need for better preparation and risk 
assessments.

                            Credit Union National Association,

                                 Washington, DC, October 29, 2019.
     Hon. Maxine Waters,
     Chairwoman, Committee on Financial Services,
     House of Representatives, Washington, DC.
     Hon. Patrick McHenry,
     Ranking Member, Committee on Financial Services, House of 
         Representatives, Washington, DC.
       Dear Chairwoman Waters and Ranking Member McHenry: On 
     behalf of America's credit unions, I am writing regarding the 
     House Financial Services Committee's markup of H.R. 4458, 
     ``the Cybersecurity and Financial System Resilience Act.'' 
     The Credit Union National Association (CUNA) represents 
     America's credit unions and their 115 million members.
       National Cybersecurity Awareness Month is an important 
     reminder to assess cyber dangers and consider what can be 
     done to help protect Americans and American businesses from 
     cyber-attacks. For credit unions, protecting American's 
     financial and other personal information no matter what 
     business or entity possess or handle it is of the utmost 
     importance. Theft and misuse of members' information from 
     other businesses and entities cost credit unions and by 
     extension their member-owners significant money while lining 
     the pockets of criminals and criminal nation states who use 
     the money to hurt the Unites States.
       CUNA supports H.R. 4458, the ``Cybersecurity and Financial 
     System Resilience Act.'' America's credit unions support 
     efforts to ensure that the entire financial services sector 
     has proper cyber safeguards in place and this effort should 
     extend to the sectors' regulators. H.R. 4458 would require 
     the sectors' regulators to each issue an annual report to 
     Congress describing measures the respective agency has taken 
     to strengthen cybersecurity with respect to its functions as 
     a regulator, including the supervision and regulation of 
     financial institutions and, where applicable, third-party 
     service providers.
       The Federal Information Security Modernization Act (FISMA) 
     requires the sectors' regulators to develop, document, and 
     implement an agency-wide program to provide information 
     security for the information and information systems that 
     support the operations and assets of the agency, including 
     those provided or managed by another agency. It appears that 
     H.R. 4458 would enhance FISMA through reporting requirements 
     while also requiring the regulators to ensure robust 
     oversight of their regulated entities, which is already a 
     primary duty of the regulators.
       The regulators should be given wide latitude to decide the 
     information reported publicly on the status of their 
     regulated entities. Any information that details cyber 
     vulnerabilities at financial institutions should not be 
     reported publicly as it could harm the sector as bad actors 
     could use reports as a roadmap for future attacks. 
     Furthermore, the regulators should coordinate publicly 
     reporting their regulated financial institutions for the same 
     reason.
       Lastly, we commend the National Credit Union Administration 
     (NCUA) Chairman Rodney Hood for recently appointing a 
     cybersecurity advisor. We believe this is a critical step to 
     ensure the agency stays focused on important cyber issues. We 
     appreciate that NCUA has taken proactive efforts to work to 
     secure the cyber security framework for credit unions and 
     their members.
       On behalf of America's credit unions and their 115 million 
     members, thank you for the opportunity to share our views. We 
     look forward to continuing to work with the Committee on 
     safeguarding the financial services sector against cyber-
     attacks.
       Sincerely,
                                                       Jim Nussle,
     President & CEO.
                                  ____


                       [From IMF, Jan. 13, 2020]

                    Cybersecurity Threats Call for a
                            Global Response

                           (By David Lipton)

       Last March, Operation Taiex led to the arrest of the gang 
     leader behind the Carbanak and Cobalt malware attacks on over 
     100 financial institutions worldwide. This law enforcement 
     operation included the Spanish national police, Europol, FBI, 
     the Romanian, Moldovan, Belarusian, and Taiwanese 
     authorities, as well as private cybersecurity companies. 
     Investigators found out that hackers were operating in at 
     least 15 countries.
       We all know that money moves quickly around the world. As 
     Operation Taiex shows, cybercrime is doing the same, becoming 
     increasingly able to collaborate rapidly across borders.
       To create a cyber-secure world, we must be as fast and 
     globally integrated as the criminals. Facing a global threat 
     with local resources will not be enough. Countries need to

[[Page H198]]

     do more internally and internationally to coordinate their 
     efforts.


                       How to best work together

       To begin, the private sector offers many good examples of 
     cooperation. The industry deserves credit for taking the lead 
     in many areas--developing technical and risk management 
     standards, convening information-sharing forums, and spending 
     considerable resources. International bodies, including the 
     Group of 7 Cyber Experts group and the Basel Committee, are 
     creating awareness and identifying sound practices for 
     financial sector supervisors. This is important work.
       But there is more to be done, especially if we take a 
     global perspective. There are four areas where the 
     international community can come together and boost the work 
     being done at the national level:
       First, we need to develop a greater understanding of the 
     risks: the source and nature of threats and how they might 
     impact financial stability. We need more data on threats and 
     on the impact of successful attacks to better understand the 
     risks.
       Second, we need to improve collaboration on threat 
     intelligence, incident reporting and best practices in 
     resilience and response. Information sharing between the 
     private and public sector needs to be improved--for example, 
     by reducing barriers to banks reporting issues to financial 
     supervisors and law enforcement.
       Different public agencies within a country need to 
     communicate seamlessly. And most challenging, information 
     sharing between countries must improve.
       Third, and related, regulatory approaches need to achieve 
     greater consistency. Today, countries have different 
     standards, regulations, and terminology. Reducing this 
     inconsistency will facilitate more communication.
       Finally, knowing that attacks will come, countries need to 
     be ready for them. Crisis preparation and response protocols 
     should be developed at both the national and cross-border 
     level, so as to be able to respond and recover operations as 
     soon as possible. Crisis exercises have become crucial in 
     building resilience and the ability to respond, by revealing 
     gaps and weaknesses in processes and decision making.


                       Connecting the Global Dots

       Because a cyberattack can come from anywhere in the world, 
     or many places at once, crisis response protocols must be 
     articulated within regions and globally.
       That means the relevant authorities need to know ``whom to 
     call'' during a crisis, in nearby and, ideally, also in 
     faraway countries. For small or developing countries, this is 
     a challenge that needs international attention. Many rely on 
     financial services or correspondent lines provided by global 
     banks for financial connection. Developing cross-border 
     response protocols will help countries understand their 
     respective roles in a crisis and ensure a coordinated 
     response in the event of a crisis.
       The Group of 7 countries has made an excellent start at 
     building collaboration on cybersecurity, but this effort 
     needs to be broadened to each and every country.
       Here the IMF can play an important role. With a much 
     broader representation than most of the standard-setting 
     institutions, the IMF has the ability to raise the concerns 
     of emerging-market and developing countries to a global 
     level. Because any place is a good place to start an attack, 
     it is in the ultimate interest of advanced economies to work 
     with other countries to share information, coordinate 
     actions, and build capacity.
       At the IMF, we work with countries that need to build this 
     capacity, developing the skills and expertise needed to 
     recognize and effectively counter cybersecurity threats. Our 
     international partners are doing the same, and we work 
     regularly with an array of stakeholders in the public and 
     private sector.
       Successful cyberattacks have the potential to hamper 
     financial development by creating distrust, especially if 
     personal and financial data are compromised.
       If we want to reap the benefits of new technologies that 
     can develop markets and expand financial inclusion, we have 
     to preserve trust, and ensure the security of information and 
     communications technologies. With cybersecurity, there is 
     always more to be done simply because the pace of change is 
     breathtakingly fast.
  Mr. McHENRY. Madam Speaker, I urge adoption of this measure, and I 
yield back the balance of my time.
  Ms. WATERS. Madam Speaker, I yield myself the balance of my time.
  In closing, cybersecurity is a major issue facing all aspects of our 
economy, including the financial sector. It is an important issue for 
both private companies and government agencies.
  H.R. 4458 will enhance congressional oversight of our banking 
regulators to ensure that they are maintaining strong cyber defenses of 
their own systems, as well as the banks and credit unions they 
regulate. I urge Members to support this important legislation.
  I thank the ranking member for his leadership and for the way that he 
reached across the aisle in working with us.
  Madam Speaker, I yield back the balance of my time.
  The SPEAKER pro tempore. The question is on the motion offered by the 
gentlewoman from California (Ms. Waters) that the House suspend the 
rules and pass the bill, H.R. 4458, as amended.
  The question was taken; and (two-thirds being in the affirmative) the 
rules were suspended and the bill, as amended, was passed.
  A motion to reconsider was laid on the table.

                          ____________________