When it comes to reporting cyber-attack activity to the Securities and Exchange Commission, U.S. banking institutions should avoid a boiler-plate approach and be mindful of the details, says Doug Johnson, who oversees risk management policy for the American Bankers Association.
"The SEC back in October of 2011 clarified existing rules and guidance as it related to what an institution that's publicly traded has to do, in terms of responsibility for reporting these types of events," Johnson says during an interview with Information Security Media Group (transcript below).
That disclosure, he adds, needs to be tailored to a company's individual circumstances (see Top Banks Offer New DDoS Details).
"The institution should avoid the boiler-plate language associated with the attack," Johnson explains. "They should describe what the attack looked like, what the materiality was, what the company has done to address those risks, and what the costs and consequences to the company would be."
As distributed-denial-of-service attacks continue to strike financial institutions of all sizes, publicly traded institutions have certain reporting obligations set by the SEC they must keep in mind, he adds.
Failing to adhere to those reporting requirements could result in fines and penalties later down the road, Johnson says.
During this interview, Johnson also reviews:
- How banking institutions should communicate about an attack with customers and the general public;
- The challenges banking institutions face when it comes to sharing too much information;
- Why collaborating with industry peers, law enforcement and banking industry groups is becoming increasingly critical.
Johnson leads the ABA's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources designed to help deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and he serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC.
TRACY KITTEN: Can you give us a brief overview of the current landscape and the cybersecurity concerns banking institutions are most focused on?
DOUG JOHNSON: First, I think that you're correct in portraying the majority of the cyber-attacks as being disruptions of systems, rather than intrusions of systems. But that doesn't mean that disruptions and intrusions can't happen at the same time, and I think that's one thing that we, as banking companies, are very, very mindful of - the fact that these attacks are becoming increasingly sophisticated. With their sophistication, they could take on various different types of attack vectors. They can attempt to disrupt, as well as intrude, systems, so we need to be aware of both. We need to be aware that the volume of attacks is going to be increasing as well, as we've seen over the course of the last year. Attacks will take multiple fronts.
KITTEN: In late December, the Office of the Comptroller of the Currency reminded banking institutions that they're required to track and report DDoS and other cyber-attack activity. What exactly are banking institutions' reporting responsibilities?
JOHNSON: There are a variety of different responsibilities. Some of the responsibilities do relate to the reporting of suspicious activity through suspicious activity reports. Some of them involve talking specifically to the field examination functions. Your primary federal regulators, obviously, have a very important role here, and the specific examiners that examine your institution are going to be very interested in whether or not you're being attacked as a company and what you're doing, essentially, to respond to that attack. Some institutions, because they're publicly traded, also have reporting responsibilities associated with security filings and the like.
There are a variety of different manners in which institutions are required to track and report these. The OCC [Office of the Comptroller of the Currency] indicated in their most recent guidance that institutions should really have appropriate risk management programs to identify and appropriately consider these threats. And I think that's the real basis for any of this tracking and reporting - to ensure that you as an institution have an appropriate and dynamic risk management function that really allows you to see these attacks when they occur, and also have your institution plugged into the various information-sharing mechanisms that will allow you to know that these attacks are occurring in other institutions and, specifically, what those institutions are experiencing.
KITTEN: How should this cyber-activity be reported?
JOHNSON: You do have suspicious activity reporting requirements. Those requirements require your institution to report a computer disruption and intrusion, in some cases. It doesn't necessarily need to have a loss associated with it. It can just be an attack against a critical system of the institution. The institution has to make some determination as to whether or not there's some level of criticality to the system that has been attempted to be disrupted. Online banking platforms, obviously, are extremely important to banking retail consumers. That would be one of those systems which would be very important to [include] on a suspicious activity report.
One thing that's also very important to do is to go and have that conversation with your primary federal regulator at the field level, similar to what you would do for generalized security-breach reporting. We've always recommended that institutions talk to their examiners in charge and find out from their examiners in charge what types of reporting they would like to see associated with security breaches, either when information is compromised or account statements are mismailed; every field office is different. Since that's your primary contact, as a financial institution, that's where you should start. Have that conversation with your examiner in charge, because they're the ones who are going to be contacting you if they find out that you've been a victim of a denial-of-service or other attack.
KITTEN: Since the beginning of 2013, several leading banking institutions, including Citigroup, Bank of America and JPMorgan Chase, have included information about cyber-attacks they've suffered in their quarterly and annual reports that they filed with the SEC. Are these cyber-attacks expected to be included in 10-Ks and/or other SEC filings that institutions submit?
JOHNSON: Yes. As a matter of fact, they are. The SEC back in October of 2011 clarified existing rules and guidance, as it related to what an institution that's publicly traded has do to report these types of events. It all boils down to materiality. Essentially, the SEC has said that while cyber-events are not specifically noted in existing guidance, to the extent that a cybersecurity risk or incident has a material impact on the institution, the institution is required to disclose that to the SEC through public reporting. That's really what the basis of the SEC guidance is.
They've also stressed that this particular disclosure should really be tailored to what the company's individual facts and circumstances were. The institution should avoid the boiler-plate language associated with the attack. They should describe what the attack looked like; what the materiality was; what the company has done to address those risks; what the costs and consequences to the company would be; and what occurrence and impact would be covered by insurance or otherwise. That's basically going back to existing guidance that the SEC has always had in place, and clarifying that it also does apply to cybersecurity incidents.
KITTEN: Under what circumstances should banking institutions include some of this cyber-activity in their SARs reporting?
JOHNSON: As we've discussed briefly, a computer intrusion doesn't necessarily have to result in a specific fraud event to be reported on a suspicious activity report. Computer intrusions are defined as gaining access to a system, but they're also defined as damage and the ability to disable or otherwise affect a critical system in the institution. Denial-of-service attacks, particularly the ones which we just experienced over the last six-plus months, because they were very substantial in terms of the volume of activity, which was really attempting to disrupt these individual institutions, clearly would fall within a SAR reporting guideline.
KITTEN: What if a banking institution is unsure of whether fraud has been committed or a breach of information has actually resulted from an attack?
JOHNSON: The threshold for reporting the intrusion is not a financial loss. It's the intrusion itself. That's the important piece. But again, it's also hard to know the motivations of the perpetrators. It's also hard to know to what extent a disruption has occurred, and we talked about in the previous question the fact that disruptions and intrusions can occur at the same time. Because of that, don't assume that you know the motivations of the perpetrator. Also realize that your obligation is not really hinging upon the fact that you had a financial loss. Erring on the side of reporting would be an advisable strategy.
What to Report
KITTEN: Banking institutions are expected to differentiate between a DDoS attack, for instance, and an online outage that could be linked to something less nefarious. Should they be reporting all of this?
JOHNSON: When you're talking about motivations of the perpetrators, it's always hard to discern exactly why a criminal or other perpetrator does what they do. The one way to differentiate an attack is clearly on the basis of volume, as we discussed previously. But I think that another way to really know where the attack vectors are coming from is to take advantage of the information-sharing mechanisms that are available to our sector. Those first and foremost start with the FS-ISAC [Financial Services Information Sharing and Analysis Center], but they also go to peer-to-peer sharing. [There] was a substantial amount of peer-to-peer sharing of threat information during the denial-of-service attacks. That was an extremely important component. We have the ability, on a peer-to-peer basis and systemwide, to understand a lot about the attacks, which helps us differentiate the various attacks and know when a specific DDoS attack could turn into something else.
KITTEN: Would you say that it's pretty easy for institutions to differentiate between something that may have been an outage without an attack versus something that's actually attacking to take a network down?
JOHNSON: I'd like to turn the question around, if you wouldn't mind, and say that it would be near impossible for the institution to do that in a vacuum. It's the ability of the institution to avail itself with the various information-sharing mechanisms that are out there in order to really understand the nature of the threat and what to report about it.
What to Tell Customers
KITTEN: Should some of the reporting that banking institutions do also include public notifications?
JOHNSON: Clearly, each institution is going to make its own decisions regarding broader public notification outside its own customer base. But regarding discussions with customers, it's always important to ensure the customers know what's happening. In the case of the recent DDoS attacks, the slowdowns did not involve any breach in customer data, and it's important for customers to know that. It's also important for customers to know that other delivery channels may be available. That doesn't mean ATM or the branch; it also means mobile banking.
This also could be called a teachable moment for customers, because it allows the institution to communicate with their customers about what they can do to protect themselves and their devices. You can go back to all your basic blocking-and-tackling, in terms of the kinds of computer-hygiene education that you provide, about anti-viral software, browser settings, phishing, strong passwords and things of that nature.
Reporting to State AGs
KITTEN: What should institutions consider when it comes to reporting a breach to states' attorneys general?
JOHNSON: State reporting requirements can differ from state to state, but they do have some consistent characteristics, and most of them do center on the compromise of sensitive, personally identifiable information. Some states do require specific reporting to a state privacy office or other office, and that office may or may not be attached to the state attorney general's office. At the end of the day, it's important for each institution to understand and be aware of the specific state reporting requirements in those states that they have a footprint in, because they're going to have some differences. But the vast majority of them do have breach reporting requirements.
KITTEN:Does the ABA or the FS-ISAC have any advice about the venues banking institutions may want to pursue, where communicating directly with customers and members is concerned?
JOHNSON: The venues are many, obviously, but there's always a basic concern or balance that needs to be reached, between appropriate public communication and potentially providing too much information to the perpetrators. Sometimes we may have to err on the side of not disclosing information publicly, so that it does not give the originators of the attack information that might be helpful to them.
At the same time, there's great value in being able to ensure that your customers know what the nature of the attack is and how you're responding to it and how they, themselves, can respond to it. It's also advisable, because these attacks are well-known in the media, sometimes, for the institution to take some kind of broader media approach, to ensure that the public is aware of the fact that the institution is responding effectively. Every attack is different, and every institution's approach is going to be different, and the mechanisms they pursue to discuss the attack with their customers and the public is going to be different because of that. What's most important is for every stakeholder within the institution to have the appropriate level of information to know what the status of the institution is and how they can avail themselves with service.
KITTEN: What concerns do regulators and banking bodies have about sharing too much information?
JOHNSON: It does get back to ensuring that we're not indicating to the perpetrators portions of their attacks which may be more successful than other portions, or that there are certain types of security measures that the institution is taking that have been successful or not successful. Obviously, that gives the perpetrators guesses as to what might be an advisable attack strategy for them in the future. It's the balance that we need to achieve - ensuring that the media and all other public bodies have the information that is appropriate regarding the attack.
Communicating with Law Enforcement
KITTEN: Is information sharing between banking institutions and law enforcement being facilitated by the FS-ISAC?
JOHNSON: The FS-ISAC has been around since 1999, and some institutions, particularly the larger institutions that were the subjects of the most recent denial-of-service attacks, have been part of that community for many years. It's a combination of the FS-ISAC being able to be the aggregator and the platform by which institutions can share information. But, also, because of the trusted network that the FS-ISAC has built over time ... there's a need for peer-to-peer sharing.
The primary example of that would be some of the earlier iterations of the Cyber Fighter Pastebin notices. If you recall, those notices essentially indicated not only which institutions would be attacked, but which day they were going to be attacked on. An institution that was attacked on Tuesday would be able to talk to the institution that was going to be attacked on or indicated to be attacked on Wednesday about the threat. While the threat may be different from institution to institution, because systems are different, peer-to-peer information sharing is very important. But, the trusted network allows you not to just share information, but also resources. I'm actually very proud of the fact that there were many instances of institutions not just telling other institutions what protective measures they were using that were successful, but also providing human resources to other institutions to help them withstand the attack. That really demonstrates, once again, that in our sector we view cybersecurity as a cooperative effort, not a competitive one. And it's an effort I'm rather proud of, frankly.
Advice to Institutions
KITTEN: What considerations related to cyber-activity reporting would you like to share with our audience?
JOHNSON: ... The most recent attacks, most of them being disruptions as opposed to intrusions, gave us the ability to test our cyber-attack responses. And that response includes the manner in which we report cyber activity. I think that we're stronger as a sector because of this testing. I think we'll do an even better job of reporting cyber-activity in the future, on the basis of what we've been experiencing recently, and we'll continue to evolve our protection measures as well as our reporting procedures as the threats change. And as you and I both know, they're going to change.