Written Testimony of Karl Schimmeck, Chief Information Security Officer of Northern Trust, on behalf of the Securities Industry and Financial Markets Association (SIFMA)
Before the U.S. House of Representatives
Committee on Homeland Security
Cybersecurity and Infrastructure Protection Subcommittee
Hearing Entitled:
“In Defense of Defensive Measures: Reauthorizing Cybersecurity Information Sharing Activities that Underpin U.S. National Cyber Defense”
May 15, 2025

Introduction

Chairman Garbarino, Ranking Member Swalwell and distinguished members of the Subcommittee, thank you for the opportunity to testify today in favor of the reauthorization of the Cybersecurity Information Sharing Act of 2015 (“CISA 2015” or the “Act”).¹ My name is Karl Schimmeck. I am an Executive Vice President and Chief Information Security Officer of Northern Trust, responsible for the design and management of the bank’s information security, cybersecurity, and data protection programs. I am here today as a representative of the Securities Industry and Financial Markets Association (“SIFMA”) where I am a member of the Cybersecurity Committee. I am also on the Board of Directors of the Financial Services Information Sharing and Analysis Center (“FS-ISAC”).

Prior to my current position at Northern Trust, I served as Chief Information Security Officer and Head of Technology Risk and Resilience for Morgan Stanley’s U.S. banks. Prior to that, I was Managing Director of Cybersecurity, Business Resiliency & Operational Risk at SIFMA from 2011 to 2016, during which I was involved in the advocacy efforts for CISA 2015. During that time, I was also on the executive committee of the Financial Services Sector Coordinating Council (“FSSCC”).

SIFMA is the leading trade association for broker-dealers, investment banks, and asset managers operating in the U.S. and global capital markets. SIFMA advocates on legislation, regulation and business policy affecting financial markets and serves as an industry coordinating body to promote fair and orderly markets, informed regulatory compliance, and efficient market operations and resiliency.

As part of its critical role as a coordinating body and as it relates to this hearing, SIFMA hosts an bi-annual cybersecurity exercise known as Quantum Dawn which brings together public and private sector participants for a series of exercises that simulate the operational impacts that a systemic cyber-attack could have on financial firms, critical third parties, and the global financial ecosystem due to a large scale attack. Last year’s exercise included more than 1000 participants from 20 countries. The goal of the exercise is to improve response and recovery plans and strengthen global coordination and information sharing mechanisms which are necessary for quickly responding to significant operational outages, including cyber events.²

Certain key provisions of CISA 2015 are set to expire in September if Congress does not reauthorize them. SIFMA is calling for a clean reauthorization of the expiring provisions of CISA 2015 as soon as possible so that participating institutions will have the necessary assurances that the existing protections will continue. These expiring provisions include liability protections for private companies when sharing information pursuant to the Act – protections that are essential to the collective protection of the US via the enhanced situational awareness that information sharing provides. It is critical that Congress reauthorize these provisions to preserve information sharing before they expire.

1. Consolidated Appropriations Act, 2016, Pub. L. No. 114-113, Div. N, Title I—Cybersecurity Information Sharing Act of 2015, 129 Stat. 2935 (2015), 6 U.S.C. § 1501; S. Rep. No. 114–32, at 2 (2015). 2 Press release, SIFMA Cybersecurity Exercise, Quantum Dawn VII After-Action Report (May 1, 2024), https://www.sifma.org/resources/general/cybersecurity-exercise-quantum-dawn-vii/ [↩]
2. Press release, SIFMA Cybersecurity Exercise, Quantum Dawn VII After-Action Report (May 1, 2024), https://www.sifma.org/resources/general/cybersecurity-exercise-quantum-dawn-vii/ [↩]