The top Republican lawmaker on an influential House committee wants the Federal Reserve to be more open about its cybersecurity preparations.
Rep. Patrick McHenry (R., N.C.), the ranking member of the House Financial Services Committee, this week introduced legislation that would compel the Fed to report annually to House and Senate banking committees on detailed points regarding its cybersecurity strategy.
The legislation would ensure that Congress is “read in” on the Fed’s countermeasures and cybersecurity readiness, Mr. McHenry said in an interview. He referred to a 2018 report from the Fed’s Office of the Inspector General that reviewed the central bank’s information security program. The report found that while the Fed had certain protections in place, such as multifactor authentication and staff training, it lacked full oversight over its technology and security processes.
“The report informs me that we need to have a better grasp of what the Fed is doing. The Fed is the largest bank in the world, it is globally systemically important, and we should have proper congressional oversight of their cybersecurity preparations,” Mr. McHenry said.
The legislation calls for requiring the Fed to report details about malware and denial-of-service attacks, as well as other attempts to breach its computer networks. The central bank would also be required to show that its cybersecurity employees are qualified and report on its use of cybersecurity technologies. The reports should be issued as public documents but may include a classified annex “if appropriate,” the bill states. Such information isn’t generally made public, although the Fed chief is required to testify before Congress twice a year about monetary policy and other matters.
The bill comes at a time when cybersecurity is regarded as a critical risk to the safety of the financial system. Mr. McHenry said that chief executives from top banks he met over the summer said that cybersecurity rates “very highly” as a risk factor.
He added that while this bill focused on the Fed, there was a wider need to examine cybersecurity preparations across federal agencies. In the future, Congress could also look into cybersecurity at other financial regulators, including the Securities and Exchange Commission, he said.
A spokeswoman for the Fed declined to comment. In testimony before the House committee in July, Fed Chairman Jerome Powell said that he regarded cyber risk as a principal threat to the financial system, describing it as “the big one.”
“We’ve spent 10 years building up capital, helping the banks be much more conscious of their risks, building up liquidity, stress-testing, all those things. And we have a really good playbook there,” he said. “The thing that is really hard is the idea of a successful cyber attack.”
Other financial regulators have also been sharpening their focus on cybersecurity. The SEC said in testimony before Congress this week that it had increased its IT security staff by 75% from 2017 levels. In February, the regulator said it was hiring its first chief risk officer, Gabriel Benincasa.
The Commodity Futures Trading Commission, meanwhile, plans to discuss cybersecurity at a meeting of its technology committee Oct. 3.