New Trend: More Cybersecurity Disclosures by Banks and Other Public Companies
It has been almost ten years since California’s landmark data breach notification law (SB 1386) went into effect. Since its passage, we’ve seen a number of high profile reports of breached information along with numerous smaller and less eye-catching disclosures by small and medium-sized businesses. Some commentators, however, believe that many companies continue to not report about weaknesses in or breaches of their computer security.
While unreported breaches that do not involve personally identifiable information (PII) may not violate the 46 state laws requiring notification of breaches, such non-reporting could violate other laws, such as the SEC requirement on public companies to report material events. More specifically, the SEC issued guidance in 2011 to public companies regarding obligations under existing law to report breaches of cybersecurity. In addition, the SEC also sent letters requesting that companies reveal more cyber threat information.
Last week saw another wave of reports by banks (and others) containing warnings that they may be vulnerable to cyberattacks. On Friday, Citigroup addressed cybersecurity in its annual 10-K report, acknowledging “limited losses” and increased security expenditures from cyberattacks. The bank said that cyberattacks “could occur more frequently and on a more significant scale” in the future.
Sun Trust Banks focused its attention on both its vulnerabilities and those of its service providers when it stated that a “failure in or breach of our operational or security systems or infrastructure, or those of our third party vendors and other service providers, including as a result of cyber attacks, could disrupt our businesses, result in the disclosure or misuse of confidential or proprietary information, damage our reputation, increase our costs and cause losses.” It went on to note that it had experienced actual cyberattack as well, noting that their main online banking website “was subject to a series of Distributed Denial of Service Attacks. These attacks, which were also generally publicized in the media, did not result in any financial loss, fraud or breach of client data or service disruptions of any materiality.”
Several other organizations disclosed actual cyberattacks, including Goldman Sachs, Bank of America, JP Morgan Chase, Bank of NY Mellon, Priceline.com, Zions Bancorporation, American Express, and MetLife. It should come as no surprise to anyone that these organizations experience nearly continuous attack. Reporting such attacks as part of their annual reports (and further acknowledging that those cyberattacks could cause serious harm) moves the bar in some respects. At a bare minimum, it could diminish resistance within the organization to report an actual breach, were it to occur, since a warning has already been given.
At tonight’s CDT dinner in Washington, DC there was lively discussion about the philosophical differences separating politicians on cybersecurity legislation. In the absence of legislation, the SEC guidance seems to have woken some folks up…or at least has gotten them to acknowledge the cybersecurity issue both within their organization and publicly.