Privacy & Information Security Law Blog

As reported in The Washington Post, large financial institutions are increasingly disclosing cyber attacks, and potential vulnerability to cyber threats, in their annual reports filed with the Securities and Exchange Commission. Numerous banks disclosed such attacks in their 2012 reports, even in cases where the ongoing threat of the attacks did not result in any material harm to the institution. For example:

• In its 10-K filed on March 1, 2013, Citigroup Inc. disclosed that it “ha[s] been, and will continue to be, subject to an increasing risk of cyber incidents.”
• Similarly, Goldman Sachs Group, Inc. disclosed in its 10-K filed on the same day that it is “regularly the target of attempted cyber attacks.”
• In its 10-K filed on February 28, 2013, Bank of America Corporation disclosed that its “technologies, systems, networks and [its] customers’ devices have been subject to, and are likely to continue to be the target of, cyber attacks, computer viruses, malicious code, phishing attacks or information security breaches.”
• JPMorgan Chase & Co., in its 10-K filed February 28, 2013, stated that it “continue[s] to experience significant distributed…attacks from technically sophisticated and well-resourced third parties.”

Bank of America and JPMorgan Chase disclosed cyber attacks even though both companies’ annual reports contained assurances that, to date, the cyber attacks they have faced have not had any material impact on their operations or financial results. Additionally, many banks disclosed that their systems may contain potentially exploitable vulnerabilities.

Considering the SEC issued guidance in October 2011 regarding disclosure obligations related to cyber attacks and their associated risks, it seems likely the Obama Administration’s recent executive order and presidential policy directive on cybersecurity played a part in encouraging the banks to include cybersecurity disclosures in their latest filings.

In its October 2011 guidance, the SEC emphasized that businesses were not expected to provide the kinds of technical disclosures that could provide a roadmap for hackers to infiltrate their systems, but that cyber incidents should be disclosed if:

• they are among the most significant factors making an investment risky;
• their associated consequences represent a material event or trend that is reasonably likely to materially affect the company’s financial condition;
• they materially affect a company’s services, products, competitive conditions or relationships with suppliers or customers;
• they result in material legal proceedings; or
• they pose a threat to the company’s ability to report other required disclosures.