As cyber attacks against financial institutions have become more and more frequent, and the possibility of significant adverse consequences from a single attack have increased, financial institutions have been stepping up cyber security processes for some time. However, many institutions still grapple with the appropriate level of disclosure to shareholders regarding cyber security.
Cyber attacks can come from all directions and in all shapes and sizes—from the stolen employee laptop to a hacked computer system that allows fraudulent transfers from an account. Attacks where the criminals bypass both the computer systems of the bank and its customers and instead access the systems of the bank’s outside service providers can also leave the bank at risk. Which of these attacks or potential attacks merit disclosure?
In October of 2011, the Securities and Exchange Commission (SEC) issued CF Disclosure Guidance: Topic No. 2, which described disclosure obligations for cyber security risks and cyber incidents for public companies. While there is no explicit disclosure requirement regarding cyber security risks or incidents, the guidance from the SEC highlights areas that may require disclosure of cyber security risks or incidents, including:
- Risk Factors – Like other operational and financial risks, the risk of a cyber incident should be disclosed if it is among the most significant factors that make an investment in the company speculative or risky. The disclosure should be specific to the company and sufficient to allow investors to appreciate the nature of the risk without compromising the company’s cyber security.
- Management Discussion & Analysis – MD&A disclosure should include any known incident or risk or potential incident that represents “a material event, trend or uncertainty that is reasonably likely to have a material effect on the [company’s] results of operations, liquidity, or financial condition” or cause reported information not to be indicative of future results.
- Description of Business – Disclosure should be provided where a cyber incident may affect products, services, relationships with customers or suppliers or the company’s competitive position.
- Legal Proceedings – Any material pending legal proceeding related to cyber incidents should be disclosed.
- Financial Statements – Financial statement disclosure may include material costs of an incident or incurred to prevent cyber incidents or mitigate damages, including incentives to maintain business relationships related to an incident.
- Disclosure Control and Procedures – Cyber risks should be disclosed to the extent there is a risk to the company’s ability to record, process, summarize and report information required in SEC filings.
For banks and financial institutions that are not subject to the reporting requirements of the Securities Act of 1934, there are no applicable federal banking regulations that require disclosure to shareholders regarding cyber attacks or incidents. However, shareholder requests for information regarding cyber security from both private and public companies could become more common as banks, large and small, use more smart phones, tablets and other technology to deliver products and services and as cyber attacks become more frequent with increasing sophistication in techniques. In responding to such shareholder requests, companies should review and ensure that the shareholder request complies with applicable state corporate laws regarding shareholder inspection of corporate records. These statutes often require, generally, that a request for such information be made in good faith for a proper purpose that is reasonably relevant to a legitimate interest of the shareholder.
In the end, the key to good disclosure is first understanding the company’s “cyber business” and where the company’s risks lie. This includes understanding the company’s cyber risks from third party vendors and any contractual obligations to reimburse vendors for losses related to an attack on the vendor’s or other third party systems. Often, even when the company has cyber insurance, the policy will only cover incidents where the attack is on the bank’s systems, which may leave the bank holding the bag if an attack occurs indirectly through a vendor’s or customer’s systems. We recommend a review of such policies by counsel or an insurance professional to ensure a good understanding of the risks covered by the policies.