Academic journal article Iowa Law Review

Bank Disclosures of Cyber Exposure

Academic journal article Iowa Law Review

Bank Disclosures of Cyber Exposure

Article excerpt

I.Introduction

Cyber intrusions are one of the most pressing risks facing financial institutions today.1 Cyber risk presents corporate governance challenges for these institutions to manage, as well as financial stability threats for the bank regulator to address. Because banks provide critical services to the broader economy, such as payments, credit, and demand deposits, a large bank's vulnerability to a cyber attack-which could threaten the disruption of these critical services-presents the potential for adverse spillover effects. Indeed, precisely as Kevin Stiroh, the New York Fed's Executive Vice President of the Financial Institution Supervision Group, remarked in April 2019, "You don't need to convince anyone that this is a fundamental risk for financial firms, the financial system, and the broader economy."2 Cyber risk would thus seem to present a classic case for regulatory intervention.3 But how should such regulation be designed?

Among the various financial regulators, the Securities and Exchange Commission ("SEC") has been particularly attentive to cyber risk. While banking law and regulation has remained relatively inert in the face of mounting cyber risk, the SEC has taken several steps forward. In February 2018, the SEC expanded and augmented a piece of regulatory guidance which was first issued in 2011. In that guidance, SEC Chairman Jay Clayton made clear that "[p]ublic companies must stay focused on [cybersecurity] issues and take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion."4 That 2018 guidance explained that firms are obligated by the Securities Act of 1933 and Securities Exchange Act of 1934 to disclose their cyber controls, risks, and vulnerabilities.5 This Article questions whether the sharpening of mandatory disclosure requirements-through sub-regulatory guidance no less6-is justified in the particular case of systemically important banks.

To be sure, the SEC has legitimate reason to be concerned about underdisclosure of cyber risk by public companies generally. Many seem to be dragging their feet in disclosing major breaches. Equifax, for example, waited months to disclose the fact that it had suffered a "cybersecurity incident" of unprecedented scale in the spring-summer of 2017-a breach that affected 143 million Americans.7 Similarly, Yahoo! waited nearly two years to disclose a massive cyber incident from 2014.8

In light of these delays, it could be appropriate to press certain nonfinancial public companies for more timely disclosure of their cyber incidents. After all, classic disclosure law theory maintains that fulsome public company disclosure enables market (i.e., price) efficiency-by that theory, the timely disclosure of cyber breaches would allow the price of those companies' shares to reflect the company's value as discounted by its shortcomings in managing cyber risk.9 Disclosure should also, in theory, better equip a company's debt and equity investors to hold managers and board members accountable for adequate cyber risk management.10

But systemically important banks may present a special case. Publicizing the details of a bank's cyber vulnerability can further weaken that bank, which can lead to macro instability. News of a cyber breach at a large bank could, for instance, instigate depositor panic, thereby precipitating a plunge in the perceived value of a bank's assets. Such disclosure could also flag open wounds to would-be cyber attackers, inviting more intrusions. As such, pressing very large banks to disclosure more information about their cyber issues could work at cross-purposes to certain financial stability goals of banking regulation, even if such disclosure could improve market efficiency.

Arguably, the SEC should weigh and balance the various interests in market efficiency on the one hand, with resilience and financial stability on the other. On that view, the core claim of the Article is that the SEC's current approach to cyber disclosure has given short shrift to this kind of weighting and balancing analysis, and further refinement along those lines would lead to a more optimally designed disclosure regime. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.