Cybersecurity Actby Former Senator Tim Johnson
Posted on 2014-12-11
JOHNSON of South Dakota. Mr. President, I ask consent to engage
in a colloquy with Senator Rockefeller, Chairman of the Senate Commerce
Committee, regarding important aspects of S. 1353, the Cybersecurity
Enhancement Act of 2014.
Yesterday I held a hearing on the importance of improving information sharing between agencies on cyber security. As I said yesterday, law enforcement, the intelligence community, Treasury, and financial regulators each may have different missions, but in addressing cyber security concerns they all must be united in what some call a ``whole government'' approach. Cyber security is one of the most important issues facing the financial system and I hope next Congress can work together to pass a comprehensive cyber security bill. I thank my colleague, the Senator from West Virginia, for his work on this important matter and for strengthening the public-private collaboration on cyber security with this bill.
However, I would like to ensure that the language in this bill does not have [[Page S6669]] unintended consequences on the abilities of financial regulators to effectively oversee our financial system. As chairman of the Banking Committee, I am mindful of the importance of strong regulators examining and supervising our financial institutions. This is particularly important in the case of the Consumer Financial Protection Bureau, the agency that was created in 2010 to police areas of the financial market that previously were not regulated at the federal level, as well as the prudential regulators. A provision in S. 1353 states that information shared with the National Institute of Standards and Technology (known as NIST), may not be used by a government agency to regulate the activity of any entity. However, other existing statutes and regulations provide government agencies with the authority to require entities they regulate to provide them with information.
Moreover, a regulatory agency may discover such information on its own, through the entity, or through other sources. For example, a bank regulatory agency may discover cyberthreat information during a routine examination of a bank and, might want to exercise its existing legal authority to require the bank to adjust its systems to protect against future cyberthreats. I seek clarification from the Senator from West Virginia with respect to the provision in the proposed legislation.
Can my colleague from West Virginia confirm that this provision is not intended to prohibit an agency from taking regulatory action, if the agency independently obtains such information pursuant to other statutory or regulatory authority, even if a regulated entity has shared this information with NIST?