Your bank's been hacked. How soon should investors be told?
What did the bank know about its cyberattack, and when did it know it?
Those are the questions that regulators want banks to answer as soon as possible, and in great detail, if a data breach could potentially lead to a financially material loss. The U.S. Securities and Exchange Commission wants rapid public disclosures from banks and other publicly traded company to protect investors from financial losses caused by cyberattacks.
But answering those questions can pose risks for banks, according to legal and technology experts. In the rush to disclose information, banks could inadvertently assist future hackers, said Michael Licker, a securities attorney at Foley Hoag.
“You don’t want to say so much that you give hackers a road map on how to commit a breach,” Licker said.
It’s also another task that banks must add to an increasingly long list of items related to cybersecurity. Banks are spending hundreds of billions of dollars to upgrade cybersecurity technology, hire scores of new tech personnel and develop procedures for how to respond to a cyber incident.
The SEC wants companies to bring shareholders up to speed as quickly as possible because investors can be exposed to steep financial losses if consumer data is stolen. Shares of Equifax fell 14% on Sept. 7, 2017, the day the credit bureau announced its massive data breach.
Recent cyber incidents at three banks — Frost Bank in San Antonio and the Canadian institutions BMO Financial and Canadian Imperial Bank of Commerce — may provide hints at how financial-services companies will comply. All three have been hit by hackers this year and each has disclosed information in varying ways.
In March, the $31.5 billion-asset Cullen/Frost Bankers, Frost Bank’s parent company, detected unauthorized access into its lockbox software program, which allowed hackers to steal customer data. Frost Bank notified the public about the breach with a news release, issued during the week that the incident occurred.
The company later provided more details of the breach to investors, first during its first-quarter earnings conference call on April 26 and in its 10-Q, filed the same day.
“We have stopped the identified unauthorized access and are working with a leading cybersecurity firm,” Cullen/Frost said in the 10-Q. “We have reported the incident to, and are cooperating with, law-enforcement authorities and our investigation is ongoing.”
Frost’s public disclosures on the incidents, such as written notifications to lockbox customers and to affected account holders, “were made because it was the right thing to do,” said spokesman Bill Day. “Our priority was making sure the affected parties knew what happened, how it affected them, and what Frost was doing about it.”
He declined to say if the disclosures were made as a result of the SEC guidelines.
Last month, hackers stole about data from about 50,000 customers of Bank of Montreal, and about 40,000 customers from CIBC’s online bank, Bloomberg reported. Since both breaches were fairly small, they may not be financially material to either company, said Derryck Coleman, research manager at Audit Analytics, a financial data provider in Sutton, Mass.
CIBC and BMO were targeted by hackers during the last weekend of May and both companies issued news releases or press statements on Monday. Neither bank has yet filed documents with the SEC on the incidents, although both have shares that trade in the U.S.
CIBC complies with all disclosure requirements, said spokesman Tom Wallis. BMO has “complied and will continue to comply with all applicable Canadian and U.S. securities regulations and related guidance,” said spokesman Paul Gammal. Both the CIBC and BMO spokesmen declined to offer additional details.
It makes sense that some banks would prefer not to rush out information on a data breach, Licker said. A bank could get egg on its face if it says something happened that later turned out to not be true.
“There’s a hesitancy to do anything too fast because you want to investigate these things and learn all the facts first,” he said. “How fast do you have an obligation to let the market know?”
Companies are also struggling with determining what they are supposed to disclose. The SEC’s guidelines are short on details, Licker said.
“A criticism of the guidance has been that it’s ambiguous as to what companies need to do. It doesn’t set forth any guidelines for timing” of disclosures, he said.
In its 24-page guidelines, issued on Feb. 21, the SEC said “we expect companies to disclose cybersecurity risks and incidents that are material to investors, including the concomitant financial, legal, or reputational consequences.”
Banks may also struggle to ascertain what should be disclosed based on the financially material rule, said Megan Brown, a cybersecurity attorney at Wiley Rein. It’s easy for a company to determine if a breach is material to its own finances, but it’s more difficult to say if it financially affects investors.
“The question is, what would a shareholder claim in a lawsuit that is material for them in making an investment decision,” Brown said. “It’s fairly unclear from the SEC guidance” what a company should use to make that determination, she said.
The new guidelines may take some time for banks to adopt, as most companies don’t disclose these incidents. Public companies experienced 64 cyber breaches in 2017, but only 24 of them were disclosed in SEC filings, according to Audit Analytics.
Licker said that he expects more banks to disclose breaches as they begin to view the SEC guidelines as a requirement, even though they don’t carry the legal weight of a rule or regulation. That’s because they were issued by the five-member commission, not SEC staff.
Expect more banks to also include cybersecurity language such as this in the “risk factors” section of their annual reports: “We are susceptible to fraudulent activity, information security breaches and cybersecurity-related incidents that may be committed against us or our clients, which may result in financial losses or increased costs to us or our clients,” the $1.5 billion-asset County Bancorp in Manitowoc, Wis., said in its 10-K, filed in March
New regulations approved last year by the New York State Department of Financial Services go even further than the SEC’s guidelines.
In addition to enhanced disclosure requirements, banks subject to NYSDFS oversight must adopt written a cybersecurity policy, implement procedures and controls and designate a chief information security officer.
That last requirement in particular is creating headaches for some banks as they aim to comply with the new rules, which take effect in phases between September 2017 and March 2019.
Theodore Tomita, chief technology officer at the $435 million-asset Catskill Hudson Bank in Monticello, N.Y., told American Banker last year that he’s been flooded with calls from firms proposing to handle the bank’s information security functions.
“I would love to have about 15 minutes with [Gov. Andrew] Cuomo to thank him for the 4,000 phone calls I’ve received from every fly-by-night company that says they can be our information security officer,” Tomita said.