This Act may be cited as the “Cybersecurity and Financial System Resilience Act of 2019”.

(a) In general.—Not later than the end of the 180-day period beginning on the date of enactment of this Act, and annually thereafter, each banking regulator shall submit a report to the Committee on Financial Services of the House of Representatives and the Committee on Banking, Housing, and Urban Affairs of the Senate that provides a detailed explanation of measures undertaken to strengthen cybersecurity with respect to the functions of the regulator, including the supervision and regulation of financial institutions and, where applicable, third-party service providers. Each such report shall specifically include a detailed analysis of—

(1) policies and procedures (including those described under section 3554(b) of title 44, United States Code) that guard against—

(A) efforts to deny access to or degrade, disrupt, or destroy any information and communications technology system or network, or exfiltrate information from such a system or network without authorization;

(B) destructive malware attacks;

(C) denial of service activities; and

(D) any other efforts that may threaten the functions of the banking regulator or entities overseen by the regulator by undermining cybersecurity and the resilience of the financial system;

(2) activities to ensure the effective implementation of policies and procedures described under paragraph (1), including—

(A) the appointment of qualified staff, the provision of staff training, the use of accountability measures to support staff performance, and the designation, if any, of senior appointed leadership to strengthen accountability for oversight of cybersecurity measures;

(B) deployment of adequate resources and technologies;

(C) efforts to respond to cybersecurity-related findings and recommendations of the Inspector General of the banking regulator or the independent evaluation described under section 3555 of title 42, United States Code; and

(D) as appropriate, efforts to strengthen cybersecurity in coordination with other Federal departments and agencies, domestic and foreign financial institutions, and other partners, including the development and dissemination of best practices regarding cybersecurity and the sharing of threat information; and

(3) any current or emerging threats that are likely to pose a risk to the resilience of the financial system.

(b) Form of report.—The report required under subsection (a) shall be submitted in unclassified form, but may include a classified annex, if appropriate.

(c) Congressional briefing.—Upon request, the head of each banking regulator shall provide a detailed briefing to the appropriate Members of Congress on each report submitted pursuant to subsection (a), except—

(1) the Chairman of the Board of Governors of the Federal Reserve System may designate another member of the Board of Governors of the Federal Reserve System to provide such briefing;

(2) the Chairperson of the Federal Deposit Insurance Corporation may designate another member of the Board of Directors of the Corporation to provide such briefing; and

(3) the Chairman of the National Credit Union Administration may designate another member of the National Credit Union Administration Board to provide such briefing.

(d) Definitions.—For the purposes of this Act:

(1) APPROPRIATE MEMBERS OF CONGRESS.—The term “appropriate Members of Congress” means the following:

(A) The Chairman and Ranking Member of the Committee on Financial Services of the House of Representatives.

(B) The Chairman and Ranking Member of the Committee on Banking, Housing, and Urban Affairs of the Senate.

(2) BANKING REGULATOR.—The term “banking regulator” means the Board of Governors of the Federal Reserve System, the Comptroller of the Currency, the Federal Deposit Insurance Corporation, and the National Credit Union Administration.

(3) SENIOR APPOINTED LEADERSHIP.—With respect to a banking regulator, the term “senior appointed leadership” means a position that requires Senate confirmation.

(e) Sunset.—The provisions of this Act shall have no force or effect on or after the date that is 7 years after the date of enactment of this Act.

The budgetary effects of this Act, for the purpose of complying with the Statutory Pay-As-You-Go Act of 2010, shall be determined by reference to the latest statement titled “Budgetary Effects of PAYGO Legislation” for this Act, submitted for printing in the Congressional Record by the Chairman of the House Budget Committee, provided that such statement has been submitted prior to the vote on passage.