At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberassaults last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector.
In their annual financial reports to the Securities and Exchange Commission, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions.
Almost all reported that they were targeted in last year’s highly publicized “distributed denial of service attacks” (DDOS) — efforts to disrupt access to Web sites by barraging servers with computer traffic. The assaults, which are ongoing, made headlines in the fall when U.S. officials said they believed they were launched by the Iranian government in retaliation for sanctions imposed because of Tehran’s nuclear program.
The disclosures are significant in that for years, companies, including banks, have been loath even to acknowledge that they have been victims of such incidents.
But it appears that SEC guidance issued in October 2011 making clear that companies need to report significant computerized theft or disruption, combined with greater public attention to the issue, is forcing more disclosure. Also, the fact that the banks hit by the DDOS attacks have been named in media accounts has made ignoring them more difficult.
Fifth Third Bank in Cincinnati, for instance, disclosed it had endured a DDOS attack early last year. “We did it as a way to be transparent,” said Debra DeCourcy, a bank spokeswoman. “If there is something else positive that can be gained from that, it’s all the better.”
DDOS incidents do not involve penetrating networks, but the assaults that washed over the banking industry in the fall were of such force and duration that banks have spent millions of dollars shoring up their security, industry officials said. Some analysts estimate that the collective cost comes to hundreds of millions of dollars.
The disruptions also got the attention of the White House and the national security community, which have been trying to help the private sector better handle such incidents. President Obama recently signed an executive order aimed at helping companies in critical sectors shore up their network security. Improved sharing of threat data between the government and companies is considered crucial to that effort.
Such corporations as eBay, LinkedIn, Level 3 Communications, Chesapeake Energy and AT&T have admitted they suffered intrusions or disruptions last year. “It’s almost naive for most large companies in the critical infrastructure sector to say that they aren’t subject to attack,’’ said Paul Smocer, president of BITS, a financial services trade organization.
The stepped-up disclosure, he said, “brings greater awareness, greater diagnosis and a desire to find a stronger cure” for system vulnerabilities.
Even with the new openness, security experts say the real scale of companies affected by cybersecurity incidents is much larger.
SEC officials said it was crucial for investors to know not just what a company’s risk is but when that risk has become reality. “You now have companies making affirmative statements that they have been subject to attack,” said Lona Nallengara, head of the SEC’s Division of Corporation Finance. “We think that’s a good thing.”
In the past two years, companies have included standard warnings in financial filings that they are subject to computer viruses, electronic break-ins and denial-of-service attacks, just as they are exposed to risks of hurricanes and tornadoes. But now, Nallengara said, a growing number of companies are “stopping before they put in that boilerplate language, and thinking, ‘Has it occurred to us?’ ”
But one bank official, speaking on the condition of anonymity, said that his bank would rather disclose to “our partners and the government, and not to the world at large.” He said, “Every time we give detail on what we know about the threats, we’re sharing that with those who might be looking to target us.”
Though companies are more upfront about incidents, they generally assert that the impact is limited. In the report Citi filed Friday, it acknowledged it had suffered DDOS attacks last year “intended to disrupt consumer online banking” but said that its monitoring services were able to respond to these incidents “before they became significant.” It also disclosed it had been affected by data breaches and hacking attempts. The incidents “resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber incidents.”
In some cases, the SEC has nudged firms to report. Last year, for example, Citi reported it had suffered data breaches in 2011. The disclosure came after Citi was among 50 or so companies that received SEC letters in 2011 asking them to explain why certain intrusions or disruptions had not been revealed to investors. In Citi’s case, the Connecticut attorney general and federal authorities, including the Secret Service and FBI, were conducting investigations of how the breach occurred.
Jacob Olcott, a cybersecurity expert with Good Harbor Security Risk Management, said the increased transparency is “an absolutely critical step.” But he added that the public needs more analysis and disclosure of the financial impacts of theft of trade secrets and intellectual property and of disruptions caused by DDOS assaults.
“This is the market solution to cybersecurity,” said Olcott, who as a staff member of the Senate Commerce Committee in 2011 advocated stronger SEC guidance on cybersecurity disclosure. “It’s getting investors aware of the issue. And it’s getting senior executives to manage cyber-risk the same way they would manage other business risks.”