Last year, the Financial Services Committee heard directly from the CEOs of America’s seven largest banks. When asked what kept these leaders up at night, a majority cited cyberattacks as the greatest risk they faced — not productivity growth, not political upheaval overseas, not an economic slowdown in China. Threats to cybersecurity topped their list.
A recent survey found that no less than two-thirds of large financial institutions had experienced an increase in cyberattacks over the previous year, with 79 percent of them concluding that hackers were becoming more sophisticated.
The private sector is not alone in its exposure. As we saw last year, ransomware attacks against Baltimore and three towns in Florida forced local government operations to be suspended, in some cases jeopardizing basic public services. This raises the question: What would happen if bad actors were effective in hacking a larger target with systemic implications, such as our financial institutions or, worse yet, our regulators?
Consider that the Federal Reserve settles $35 billion in global payments in just its first hour of each business day. A cyberattack on the Fed could be only minimally effective yet still have disastrous consequences.
It is precisely the scale and interconnectedness of the financial sector that makes such scenarios so alarming. As the 2019 Annual Report of the Financial Stability Oversight Council (FSOC) explains, “the increasing reliance of financial firms on information technology increases the risk that a cybersecurity event could have severe negative consequences for the U.S. economy, potentially impacting financial stability.”
The FSOC report goes on to say that “the unique and complex threats posed by cyber risks require the public and private sectors to cooperate to identify, understand, and protect against these risks.”
While I appreciate our regulators’ growing sensitivity to cyber-related risks, we can and must do more. As the Fed acknowledged in its most recent Financial Stability Report, cyber resiliency is a potential risk to financial stability that doesn’t yet fit neatly into existing risk frameworks.
That’s why I introduced H.R. 4458, the Cybersecurity and Financial System Resilience Act of 2019, last year. For the first time, this legislation would require U.S. banking regulators — the Federal Reserve, the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation and the National Credit Union Administration — to provide Congress with a detailed analysis of what they’re doing to protect against cyberattacks, both internally and in the entities they oversee.
This includes the regulators’ technical procedures, their operational policies to ensure accountability for cybersecurity at the highest management levels, their cooperation with domestic and foreign financial institutions, as well as their resiliency to emerging threats to the financial system.
This commonsense approach received bipartisan support in the Financial Services Committee last year and passed out of the House of Representatives this week with unanimous support. I am glad to see my colleagues on both sides of the aisle agree that ensuring the resiliency of the financial system that impacts the lives of the American people every single day requires increased vigilance and innovation.
The Cybersecurity and Financial System Resilience Act would be a positive step by Congress to hold our regulators to the highest standards of accountability so that they remain a step ahead of tomorrow’s threats. I look forward to the Senate’s quick consideration of this bipartisan legislation to help ensure the safety and soundness of our nation’s financial system in the 21st century and beyond.
Patrick McHenry is serving his eighth term in Congress, where he represents North Carolina’s 10th District. Rep. McHenry serves as Republican Leader of the House Financial Services Committee, which he has served on since he was elected to Congress.
Morning Consult welcomes op-ed submissions on policy, politics and business strategy in our coverage areas. Updated submission guidelines can be found here.