Senate lawmakers in the U.S. may consider the Cybersecurity Information Sharing Act (S. 754) (CISA) this fall after last minute negotiations failed to advance the bill to a vote before the August recess.
The much anticipated bill passed the U.S. Senate Intelligence Committee in April, and despite broad bipartisan support, a busy legislative calendar and disagreements over privacy concerns have delayed its consideration by the full Senate. The U.S. House of Representatives passed its companion cyber information sharing bill, the National Cybersecurity Protection Advancement Act of 2015 (H.R. 1731), in April.
The proposed legislation, which is designed to improve sharing of cybersecurity threat information between the government and the private sector, has won praise from many in private industry, including the financial sector.
Despite Senate Majority Leader Mitch McConnell’s (R-KY) desire to revisit the bill when lawmakers return to Capitol Hill in September, several high profile legislative issues – including government funding measures and the Iran nuclear agreement – may further delay the proposal.
“DTCC supports CISA because it moves the dial forward on cyber threat information sharing,” said Mark Clancy, CEO, Soltra. “Cyber attacks are increasing in volume and severity and becoming more sophisticated. Leveraging the capabilities and experience of a broader community through sharing of current and emerging cyber threats will allow firms to prepare their cyber defenses to meet the fast-evolving universe of cyber threats.”
DTCC has worked with lawmakers globally to support policies that enhance information sharing and critical-infrastructure protection, including testifying before the U.S. Congress, and partnering with federal agencies and other financial services companies to expand opportunities for public-private collaboration and information-sharing on the latest cyber threats.
Did Congress Already Forget the OPM Hack?
Cybersecurity: Partnering to Defend Against the Digital Culprit
Cyber Security Cited as Number One Risk to the Financial Markets, According to Most Recent DTCC Study
Firms Invest More in Cyber Security as Concerns About Cyber Attacks Risk Sharply
Five Things You Need to Know about CISA
What is the Cybersecurity Information Sharing Act?
The proposed legislation directs the federal government and companies to share actionable, situational cyber threat information to protect, prevent, mitigate, respond to, and recover from cyber incidents. CISA offers expanded liability protection across a broader spectrum of industry-government relationships for organizations participating in information sharing mechanisms.
Is CISA the only pending legislation addressing cyber info sharing?
No. The House version of the bill seeks to amend the Homeland Security Act of 2002 to enhance multi-directional sharing of information related to cybersecurity risks and strengthen privacy and civil liberties protections, and for other purposes.
Is the financial industry supportive of CISA?
The American Bankers Association (ABA), the Securities Industry and Financial Markets Association (SIFMA) and the Financial Services Roundtable (FSR) have all voiced support for CISA. The organizations issued a joint statement urging Senate lawmakers to immediately proceed to consideration of CISA so that financial firms and other sectors can better protect consumers and businesses by sharing critical information about cyber attacks with each other, the government, law enforcement and other institutions. Additionally, on March 2, a coalition of more than 20 of the country’s most prominent corporations sent a letter, co-signed by DTCC, to House and Senate leadership urging immediate legislative action on cybersecurity.
What is DTCC’s position on CISA?
DTCC has actively supported efforts to advance cyber information sharing in the U.S. Congress. Specifically, DTCC supports that cybersecurity legislation should:
- Ensure all business-to-government sharing is voluntary – similar to the approach undertaken by the NIST Cybersecurity Framework.
- Provide strong liability protections for businesses when sharing and receiving cyber threat information.
- Emphasize more government-to-business sharing of cyber threat information to strengthen the ability of the private sector to combat these threats through real-time identification, detection, and mitigation.
- Include robust and reasonable privacy protections to protect individual privacy while also preserving commitments businesses make to customers and other third parties.
How has DTCC collaborated with the industry to enhance the sharing of cyber threat information?
DTCC’s recent launch of Soltra, the new cyber threat information sharing platform, as well as the industry’s experience in pre-existing information sharing and analysis mechanisms like the Financial Services Information Sharing and Analysis Center (FS-ISAC), have proved to be timely examples of effective sector-led cybersecurity initiatives. The FS-ISAC – DTCC’s partner in the formation of Soltra – is viewed as one of the premier partnership examples of a in the cybersecurity space.