Who deserves to know about bank cyberthreats?
As banks prepare for new rules governing when cybersecurity attacks must be reported to federal regulators, a new survey shows customers and the general public are still left in the dark about many threats.
Out of 95 global banks that responded to a Moody’s Investors Service survey, about two-thirds said they notified their boards of directors about a cyber event during the 12-month period that ended in April 2021. About 60% of the banks surveyed said they reported at least one such event to regulators.
But only 33% of the banks said they had reported a cyber incident to their customers, and just 14% said they had issued a public notice.
“Clearly there seems to be a disconnect between what’s being reported to the board and then what’s being reported to external stakeholders,” said Leslie Ritter, senior analyst at Moody’s and one of the lead authors of the report.
Three banking regulators, including the Federal Deposit Insurance Corp., implemented a rule this month that requires banks to report certain computer security incidents within 36 hours. The compliance date for the new rule is May 1.
The Securities and Exchange Commission also proposed a rule last month that would bolster its existing regime, requiring companies to report not just “material” cybersecurity incidents, but also provide updates on previous incidents, to disclose what expertise the company’s management has in assessing cybersecurity risks, and more.
At the state level, many laws require companies that handle personal data to report certain breaches of information. The number of state residents affected by a breach typically determines whether the company must report the incident to the state’s attorney general. Some states then make those reports public.
Perhaps the most comprehensive reporting requirement came in an omnibus spending bill President Joe Biden signed last month. The law applies to companies that operate critical infrastructure, including financial institutions, and will eventually set up a 72-hour window for reporting cybersecurity incidents.
The Cybersecurity and Infrastructure Security Agency is running the rulemaking process, which may take up to three and a half years to complete.
Taken together, all of the new rules could lead to the public learning about more attacks, Moody’s analysts said.
“Certainly, that’s a bar that may not exist today. So expect to hear more,” said Megan Fox, a senior analyst at Moody’s who covers U.S. banks.
U.S. financial institutions do appear to be more transparent than companies in other industries when it comes to reporting cyber incidents — both internally and to outside parties.
About 37% of electric and gas utilities reported a cyber event to their boards, according to the Moody’s survey. Only 20% notified their regulators, and just 9% informed customers of a problem.
Within the financial sphere, banks outperformed asset managers. Fewer than one-third of the asset managers surveyed reported an incident to their boards, and 23% said they told regulators about a cyber event. None of them said they had notified the public about a cyber issue.
“Interestingly, the banking sector showed greater correlation between what’s being reported to the board and its regulators, at least compared to other corporate sectors that we looked at where reporting to the regulators was much less frequent,” Ritter said.
Though banks appear to report incidents in a more transparent fashion than companies in certain other sectors, they may also be more likely to fall victim to breaches.
A report released last month by Bristol, England-based cybersecurity firm Immersive Labs ranked how well organizations in various sectors performed in cyber exercises and simulations. Out of the more than 2,100 organizations, which collectively conducted more than 500,000 exercises, financial institutions scored second lowest in performance.
Getting top scores of 80% or better were companies in manufacturing, education, and technology. Financial services firms scored 45%, and healthcare companies scored 18%. Immersive Labs said five of the top 10 worst scores came from the financial services industry.
Across industries, cybersecurity risks are increasingly a top concern, a 2021 report from the consulting firm CyberRisk Alliance indicated.
The firm said this was in part because courts are finding that cybersecurity breaches are increasingly unlikely to be classified as force majeure — a legal principle that protects board members from personal liability in contract breaches. Such court decisions may be tied to the fact that more companies are purchasing cybersecurity insurance.
The CyberRisk Alliance quoted an information technology director for a financial services company, who said he suggests enterprises “centralize your cybersecurity policies. It acts as a checklist for policies and procedures.”
“Being able to ensure proper security mechanisms are in place while also making sure they comply with relevant regulations,” is essential, the IT director said.
Fully prepared or not, banks are making investments to address the issue. Banks reported a 19% increase in full-time cybersecurity employees over the past three years, according to the Moody’s survey — and that number is expected to keep rising.
“One of the reasons why we see banks standing out in the cyber survey is also relative to the highest threat level that they face,” Fox said. “As facilitators of important financial transactions, that naturally makes them a bigger target.”