Major financial institutions are increasingly disclosing cyber attacks, as well as potential vulnerability to cyber threats, in their annual reports filed with the U.S. Securities and Exchange Commission. Numerous banks disclosed such attacks in their 2012 reports, even in cases where the ongoing threat of the attacks did not result in any material harm to the institution. Cited examples include: a disclosure by Citigroup Inc. that it “ha[s] been, and will continue to be, subject to an increasing risk of cyber incidents”; a disclosure by Goldman Sachs Group, on that it is “regularly the target of attempted cyber attacks”; a disclosure by Bank of America Corporation that its “technologies, systems, networks and [its] customers’ devices have been subject to, and are likely to continue to be the target of, cyber attacks, computer viruses, malicious code, phishing attacks or information security breaches”; a disclosure by JPMorgan Chase & Co. that it “continue[s] to experience significant distributed…attacks from technically sophisticated and well-resourced third parties.”
Bank of America and JPMorgan Chase disclosed cyber attacks even though both companies’ annual reports contained assurances that, to date, the cyber attacks they have faced have not had any material impact on their operations or financial results. Additionally, many banks disclosed that their systems may contain potentially exploitable vulnerabilities.
It seems likely the Obama Administration’s recent executive order and presidential policy directive on cybersecurity played a part in encouraging the banks to include cybersecurity disclosures in their latest filings.
In a guidance directive issues by the SEC in October 2011, the SEC emphasized that businesses were not expected to provide the kinds of technical disclosures that could provide a roadmap for hackers to infiltrate their systems, but that cyber incidents should be disclosed if:
- they are among the most significant factors making an investment risky;
- their associated consequences represent a material event or trend that is reasonably likely to materially affect the company’s financial condition;
- they materially affect a company’s services, products, competitive conditions or relationships with suppliers or customers;
- they result in material legal proceedings; or
- they pose a threat to the company’s ability to report other required disclosures
