Legislation introduced by Congressman Bill Foster (D-Ill.) to strengthen cybersecurity in the financial services industry was passed by the House Financial Services Committee.
The Strengthening Cybersecurity for the Financial Sector Act of 2022 would correct regulatory gaps and improve the safety and soundness of the nation’s banking system.
Specifically, this bill would grant the National Credit Union Administration (NCUA) and the Federal Housing Finance Agency (FHFA) the authority to oversee third-party vendors employed by the entities under their purview. This authority – currently utilized by all other industry regulators – was previously temporarily granted to the NCUA and FHFA but has since expired, leaving a dangerous regulatory gap and leaving consumers and families at risk. This bill would bring parity amongst regulators to ensure financial services and housing industries are well protected against cyberattacks.
“Hard working Americans deserve peace of mind that their money and their data are safe with their credit union or mortgage servicer,” Foster said. “Federal regulators should have the power to thoroughly scrutinize financial institutions’ third-party vendors’ technology systems to ensure they are secure against the growing threat of cyberattacks. We have learned the hard way about the damage that can result from supply-chain cyberattacks like ‘Solar Winds,’ and third-party vendors in our financial system represent alluring targets. This will make the entire banking system safer and will go a long way to protect sensitive consumer information.”
The bill would add Section 1329 to the Federal Housing Enterprises Financial Safety and Soundness Act of 1992. The new provision would state, “Whenever a regulated entity or the Office of Finance causes to be performed for itself, by contract or otherwise, any activity that is permissible for the regulated entity or the Office of Finance, whether on or off its premises:
- Such performance shall be subject to regulation and examination by the director to the same extent as if such activity were being performed by such entity or Office itself on its own premises.
- The regulated entity or Office of Finance shall notify the director of the existence of the service relationship within 30 days after the making of such service contract or the performance of the activity by the service provider, whichever occurs first.”