New Trend: More Cybersecurity Disclosures by Banks and Other Public Companies

Published On March 6, 2013 | By Randy Sabett | Data Security, General, Hacking, Legislation

It has been almost ten years since California’s landmark data breach notification law (SB 1386) went into effect.  Since its passage, we’ve seen a number of high profile reports of breached information along with numerous smaller and less eye-catching disclosures by small and medium-sized businesses.  Some commentators, however, believe that many companies continue to not report about weaknesses in or breaches of their computer security.

While unreported breaches that do not involve personally identifiable information (PII) may not violate the 46 state laws requiring notification of breaches, such non-reporting could violate other laws, such as the SEC requirement on public companies to report material events.  More specifically, the SEC issued guidance in 2011 to public companies regarding obligations under existing law to report breaches of cybersecurity.  In addition, the SEC also sent letters requesting that companies reveal more cyber threat information.

Last week saw another wave of reports by banks (and others) containing warnings that they may be vulnerable to cyberattacks.  On Friday, Citigroup addressed cybersecurity in its annual 10-K report, acknowledging “limited losses” and increased security expenditures from cyberattacks. The bank said that cyberattacks “could occur more frequently and on a more significant scale” in the future.

Sun Trust Banks focused its attention on both its vulnerabilities and those of its service providers when it stated that a “failure in or breach of our operational or security systems or infrastructure, or those of our third party vendors and other service providers, including as a result of cyber attacks, could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses.”  It went on to note that it had experienced actual cyberattack as well, noting that their main online banking website “was subject to a series of Distributed Denial of Service Attacks. These attacks, which were also generally publicized in the media, did not result in any financial loss, fraud or breach of client data or service disruptions of any materiality.”

Several other organizations disclosed actual cyberattacks, including Goldman Sachs, Bank of America, JP Morgan Chase, Bank of NY Mellon, Priceline.com, Zions Bancorporation, American Express, and MetLife.  It should come as no surprise to anyone that these organizations experience nearly continuous attack.  Reporting such attacks as part of their annual reports (and further acknowledging that those cyberattacks could cause serious harm) moves the bar in some respects.  At a bare minimum, it could diminish resistance within the organization to report an actual breach, were it to occur, since a warning has already been given.

At tonight’s CDT dinner in Washington, DC there was lively discussion about the philosophical differences separating politicians on cybersecurity legislation.  In the absence of legislation, the SEC guidance seems to have woken some folks up…or at least has gotten them to acknowledge the cybersecurity issue both within their organization and publicly.

About The Author

Randy V. Sabett joined ZwillGen as Counsel in 2011. He advises clients on information security, privacy, IT licensing, and intellectual property. Randy has over 20 years of infosec experience, including as an NSA crypto engineer and a CISSP. He works closely with companies in helping them develop strategies to protect and exploit their information and IP based on various evolving business models, including SaaS, mobile applications, cloud, and more traditional client/server architectures. Specific areas on which he focuses include information security, privacy, IT licensing, IP strategy, big data, metrics, active defense, venture capital, legislative matters, government contracting, digital and electronic signatures, federated identity, state and federal information security and privacy laws, identity theft, and data breaches. He also drafts and negotiates a variety of technology transaction agreements.

Comments