Bank Disclosures of Cyber Exposure

• Author: Christina Parajon Skinner
• Position: Assistant Professor, Legal Studies and Business Ethics, The Wharton School of the University of Pennsylvania
• Pages: 239-281

239

Bank Disclosures of Cyber Exposure

Christina Parajon Skinner*

ABSTRACT: Financial institutions are increasingly subject to cyber incidents

and attacks. Cyber intrusions threaten these institutions’ balance-sheets and

reputations, and can undermine their resilience. From a societal perspective,

cyber risk is particularly concerning as it regards systemically important

financial institutions, like the largest internationally active banks. This is

because the stability of the financial system as a whole—and thus the real

economy—depends on these banks’ resilience to stressful events, including

cyber attacks. To date, the SEC has taken the lead among the financial

regulators in addressing cyber risk, chiefly through an emphasis on disclosure.

This Article critically examines the existing design of that mandatory

disclosure regime by reviewing the content of nearly 900 SEC filings made by

the seven systemically important U.S. bank holding companies over a three-

year period. That review suggests that the current trajectory of SEC rules and

guidance is in some ways overbroad as applied to these institutions; but in

other ways, the rules and guidance remain inadequate to address the various

public and private interests at stake. The Article urges the SEC to design a

more nuanced set of rules for cyber disclosure, which would be better tailored

for systemically important banks.

I.INTRODUCTION ............................................................................. 240

II.CYBER RISK AS OPERATIONAL RISK ............................................... 245

A.CORPORATE GOVERNANCE AND OPERATIONAL RISK .................. 246

B.DISCLOSURE AND OPERATIONAL RISK ....................................... 249

III.DATA ON DISCLOSURE .................................................................. 254

A.METHODOLOGY ...................................................................... 254

B.THE FILINGS ........................................................................... 258

1.Quantitative Analysis ..................................................... 258

2.Qualitative Analysis ....................................................... 261

*

Assistant Professor, Legal Studies and Business Ethics, The Wharton School of th e

University of Pennsylvania. With thanks to Brian Feinstein, Merritt Fox, Zohar Goshen, Paul

Mahoney, Henry Monaghan, Frank Partnoy, Bob Thompson, and workshop participants at IU

Maurer School of Law and Minnesota Law School, for generous feedback on draft s of this Article.

Megan York provided excellent research assistance.

240 IOWA LAW REVIEW [Vol. 105:239

IV.RE-DESIGNING THE DISCLOSURE RULES ........................................ 268

A.WHERE ARE THE MARKET FAILURES? ....................................... 269

1.Information about Cyber Risk as a Public Good ........ 270

2.Operational Resilience as a Public Good .................... 272

B.SO, WHAT SHOULD BE DISCLOSED? .......................................... 273

C.TO WHOM SHOULD BANKS DISCLOSE? ..................................... 276

V.THE LIMITS OF DISCLOSURE AND SYSTEMIC CYBER RISK............... 277

VI.CONCLUSION ................................................................................ 281

I. INTRODUCTION

Cyber intrusions are one of the most pressing risks facing financial

institutions today.1 Cyber risk presents corporate governance challenges for

these institutions to manage, as well as financial stability threats for the bank

regulator to address. Because banks provide critical services to the broader

economy, such as payments, credit, and demand deposits, a large bank’s

vulnerability to a cyber attack—which could threaten the disruption of these

critical services—presents the potential for adverse spillover effects. Indeed,

precisely as Kevin Stiroh, the New York Fed’s Executive Vice President of the

Financial Institution Supervision Group, remarked in April 2019, “You don’t

need to convince anyone that this is a fundamental risk for financial firms,

the financial system, and the broader economy.”2 Cyber risk would thus seem

to present a classic case for regulatory intervention.3 But how should such

regulation be designed?

Among the various financial regulators, the Securities and Exchange

Commission (“SEC”) has been particularly attentive to cyber risk. While

banking law and regulation has remained relatively inert in the face of

1. According to an annual data breach investigation report published by Verizon in

concert with 67 other national and economic security organizations, of the 64,199 cyber

incidents that they studied, about 1,368 of the incidences and 795 of the confirmed breaches

occurred in the financial services industry. Penny Crosman, Where Banks Are Most Vulnerable to

Cyberattacks Now, AM. BANKER (Apr. 26, 2016, 12:00 PM), https://www.americanbanker.com/

news/where-banks-are-most-vulnerable-to-cyberattacks-now [https://perma.cc/DGS9-TY25].

2. See Kevin Stiroh, Exec. Vice President, Fed. Reserve Bank of N.Y., Thoughts on

Cybersecurity from a Supervisory Perspective at the SIPA’s Cyber Risk to Financial Stability: State-

of-the-Field Conference 2019 (Apr. 12, 2019), available at https://www.bis.org/review/

r190430l.pdf [https://perma.cc/CLN2-E94Q].

3. A recent White House report on the issue relied on such economic justification for

regulatory intervention in cyber risk: “Importantly, cyberattacks and cyber theft impose

externalities that may lead to rational underinvestment in cybersecurity by the private sector

relative to the socially optimal level of investment.” EXEC. OFFICE OF THE PRESIDENT, THE COST

OF MALICIOUS CYBER ACTIVITY TO THE U.S. ECONOMY 1 (2018), available at https://www.white

house.gov/wp-content/uploads/2018/02/The-Cost-of-Malicious-Cyber-Activity-to-the-U.S.-

Economy.pdf [https://perma.cc/CW89-J6ZX] [hereinafter WHITE HOUSE REPORT].

2019] BANK DISCLOSURES OF CYBER EXPOSURE 241

mounting cyber risk, the SEC has taken several steps forward. In February

2018, the SEC expanded and augmented a piece of regulatory guidance

which was first issued in 2011. In that guidance, SEC Chairman Jay Clayton

made clear that “[p]ublic companies must stay focused on [cybersecurity]

issues and take all required actions to inform investors about material

cybersecurity risks and incidents in a timely fashion.”4 That 2018 guidance

explained that firms are obligated by the Securities Act of 1933 and Securities

Exchange Act of 1934 to disclose their cyber controls, risks, and

vulnerabilities.5 This Article questions whether the sharpening of mandatory

disclosure requirements—through sub-regulatory guidance no less6—is

justified in the particular case of systemically important banks.

To be sure, the SEC has legitimate reason to be concerned about under-

disclosure of cyber risk by public companies generally. Many seem to be

dragging their feet in disclosing major breaches. Equifax, for example, waited

months to disclose the fact that it had suffered a “cybersecurity incident” of

unprecedented scale in the spring-summer of 2017—a breach that affected

143 million Americans.7 Similarly, Yahoo! waited nearly two years to disclose

a massive cyber incident from 2014.8

4. Jay Clayton, Chairman, SEC, Statement on Cybersecurity Interpretive Guidance (Feb.

21, 2018), available at https://www.sec.gov/news/public-statement/statement-clayton-2018-02-

21 [https://perma.cc/RQR8-L8XF]; see also Commission Statement and Guidance on Public Company

Cybersecurity Disclosures, SEC (Feb. 26, 2018), https://www.sec.gov/rules/interp/2018/33-

10459.pdf [https://perma.cc/PL5D-58ZP] [hereinafter SEC Cyber Guidance].

5. The SEC has also created a separate cyber unit. Press Release, SEC, SEC Announc es

Enforcement Initiatives to Combat Cyber-Based Threats and Protect Retail Investors (Sept. 25,

2017), available at https://www.sec.gov/news/press-release/2017-176 [https://perma.cc/

Z2HT-XAH3]; see also Jonathan S. Kolodner et al., Cleary Gottlieb Discusses the SEC’s New Cyber Unit,

Six Months On, COLUM. L. SCH.: CLS BLUE SKY BLOG (Apr. 3, 2018), http://clsbluesky.law.

columbia.edu/2018/04/03/cleary-gottlieb-discusses-th e-secs-new-cyber-unit-six-months-on

[https://perma.cc/3WBX-9K45] (noting that cyber related disclosure has also been identified

as an “enforcement interest” for the Cyber Unit).

6. Sub-regulatory guidance is not open to public comment in the way that formal

rulemaking is. As Deputy Associate Attorney General Claire McCusker Murray noted,

“subregulatory guidance isn’t law—it’s just paper.” Still, subregulatory guidance greatly impacts

the application of a law on the ground and companies may perceive it as a signal of the regulator’s

priorities—and, in turn, its enforcement priorities. Claire McCusker Murray, Deputy Assoc. Att’y

Gen., DOJ, Remarks at the Compliance Week Annual Conference (May 20, 2019), available at

https://www.justice.gov/opa/speech/remarks-principal-deputy-associate-attorney-general-claire-

mccusker-murray-compliance [https://perma.cc/GRU6-2FML]; see also Nicholas R. Parrillo,

Federal Agency Guidance and the Power to Bind: An Empirical Study of Agencies and Industrie s, 36 YALE

J. ON REG. 165, 171 (2019).

7. Equifax Announces Cybersecurity Incident Involving Consumer Information , EQUIFAX (Sept. 7,

2017), https://investor.equifax.com/news-and-events/news /2017/09-07-2017-213000628

[https://perma.cc/JSN3-8398].

8. In re Altaba Inc, Yahoo! Inc., Order Instituting Cease-and-Desist Proceedings Pursuant

to Section 8A of the Securities Act of 1933 and Section 21C of the Securities Exchange Act of

1934, Making Findings, and Imposing a Case-and-Desist Order, SEC Release No. 3,937 Securities

Act, Release No. 10,485, Securities Exchange Act Release No. 83,096, 2018 WL 1919547 (Apr.

24, 2018).