Although a controversial cyber security bill was effectively dead upon its arrival to the Senate, the proposed Cyber Intelligence Sharing and Protection Act, also known as CISPA, has also raised some important questions and concerns for financial institutions.

The bill passed the House of Representatives with bipartisan support, but the Senate recently indicated it will not consider the bill.

Cyber security has become increasingly important for financial institutions, as the

past year has seen a slew of banks and credit unions find themselves the target of digital assaults, particularly denial-of-service attacks. Notably,

JPMorgan Chase, BB&T and a handful of other banks experienced denial-of-service attacks early in March, all occurring around the same time.

CISPA’s intent was to essentially help the United States government investigate cyber attacks by allowing for the sharing of Internet traffic information between the government and priva

te industries, like technology or manufacturing.

Indeed, CISPA set off a few interesting debates. After Internet start-ups and tech giants alike banded together only a little more than a year ago to vocalize their opposition to the Stop Online Piracy Act and PROTECT IP Act – more commonly known as

SOPA and PIPA – you couldn’t be faulted for thinking they would fall along similar lines opposing CISPA.

With CISPA, Internet activists, civil libertarians and government watchdogs have lined up on the opposite side of many larger trade associations, including many tech companies. This go-around, even Google expressed some support for the idea behind the bill, if not exactly for the bill itself. And financial institutions and other companies affiliated with the financial services sector were overwhelmingly supportive of CISPA.

The American Bankers Association – along with other representatives from the financial services industry, including the Consumer Bankers Association, Credit Union National Association, and the Electronic Funds Transfer Association – signed of

f on an April 17 letter to Congress supporting the bill, writing that CISPA “would provide important updates and clarifications to the National Security Act to facilitate and increase cyber intelligence information sharing by the private and public sectors. At the same time, it provides essential privacy protections for consumers by limiting the inclusion of consumer data in shared threat information.”

It’s that age-old dilemma: balancing security with liberty (or in this case, privacy). But industry observers say that financial services companies, which already tend to be hyper-cautious about revealing identifying customer details, have a considerably different stake in the matter.

Much of the data that financial services companies share amongst each other actually concerns specifics about cyber-attacks, says Doug Johnson, the American Bankers Association’s vice president of risk management policy.

“We’re sharing threat data, which is not person identifiable information or bank credentials. It’s bits and bytes. This is data associated with the part of an institution that is being attacked, what does the attack look like, where is it coming from. This is usually computer addresses, computer locations on bank systems,” he elaborated. “It’s not about a person’s identifying information being shared.”

A key component of the bill that was especially appealing to the financial services industry was th

e liability protection it offered to institutions that make a decision to share threat information.

Pre-CISPA, Johnson says, “There was silence in the law, as opposed to anything else that relates to liability protection.”

Practical Implications, Questions

In their letter to Congress, the financial services companies also praised what they described as CISPA’s “voluntary approach to information sharing.” Or in other words, CISPA would have given financial institutions the freedom to share cyber threat information amongst each other and with the government, but would not have

imposed on them the requirement to do so.

That’s important, Johnson says, because “you want them to be sharing information because they’re attempting to protect the larger cyber environment. With a mandatory system, you essentially close all that down. You end up creating an environment where institutions ironically end up sharing less info than they would in a voluntary environment.”

 “We are still evaluating the practical implications of CISPA. The bill had a lot of amendments to it in a very late part of the process,” he added.

Ho

wever, at least one of those amendments, the Conyers Amendment, could have proved problematic as it would have removed much of the liability protection that financial institutions so liked in the first place.

And while the Senate has indicated it will likely craft its own cyber security bill, what the financial services industry seems to be hoping for is that voluntary approach the letter’s co-

signers referenced. A sort of “do no harm” approach, Johnson clarified.

He added, “We’re less convinced that there needs to be some kind of elaborate cyber security standards put in by law.” 

Email: lalix@thewarrengroup.com