As potent technologies and web-based processes continue to be integrated into all aspects of today’s society, the ability of financial service providers to maintain the integrity of the wealth of personal information they carry has become paramount given the growing number of avenues of exploitation available to bad actors. A recent report released by corporate data firm Audit Analytics identified striking trends with respect to cybersecurity breaches and ransomware attacks on American financial institutions as well as across other industries in 2021, putting public companies on high-alert as Q2 2022 commences. The report, coined “Trends in Cybersecurity Breach Disclosures” identified 188 disclosed cyber breaches in 2021, the highest number of reported incidences by firms in over a decade. Their data also showed that between 2020 and 2021 alone, cybersecurity breaches from unauthorized access were up 118 percent, while ransomware attacks were up 44 percent.1 The real issue with these findings of course is the fact that current Securities and Exchange Commission (SEC) requirements do not specifically mandate the disclosure of cybersecurity events in SEC filings unless they involve risks that could have material effects on the company and/or its financial statements.2 As such, the data presented represents only the tip of the iceberg with respect to the true depth of hacking and other similar exploits seen across the United States over this time period, as only approximately 43% of total incidents that occurred in 2021 were ultimately disclosed in SEC filings.
Furthermore, even in the event that breaches were disclosed, the analysis also highlighted that it took companies an average of just under 80 days to report this information, hampering the abilities of the proper federal authorities to investigate and prosecute those behind these attacks. Given this lack of urgency in reporting, earlier this year the SEC proposed a new rule that would require companies to disclose additional financial data with respect to material cybersecurity incidents, while also taking steps to remediate the incident and updating the Commission on how company operations were affected by these efforts no later than four business days after they take place. The firms affected would also be tasked with following up with additional disclosures as their respective investigations into the transgressions proceed.
While ransomware itself is far from a novel threat, it is one that continues to receive much warranted attention at the highest levels of government both domestically and abroad. Ransomware, a form of malicious software (i.e. malware) designed to block access to a computer system or data, generally by encrypting data or programs on IT systems to extort ransom payments from victims in exchange for decrypting the information and restoring victims’ access to their systems or data, has seen an exponential rise in prevalence, as well as level of sophistication and ultimate success rate in recent years. The COVID-19 pandemic and the mass shift towards remote activities for a significant portion of the global population has further compounded this issue. Recently, the Financial Crimes Enforcement Network (FinCEN), the Office of Foreign Assets Control (OFAC), and other federal defense and financial bodies have issued respective advisories on ransomware and its relation to the exploitation of the global financial system. The greater U.S. Treasury Department has also gone on record in pinpointing potential sanctions risks associated with ransomware processes in connection with malicious cyber-enabled activities for individuals and organizations – as well as new & established payment platforms – found to have knowingly or unknowingly facilitated ransomware payments for cybercriminals. This has drawn additional attention to cryptocurrency markets and individual exchanges that may be acting in this regard.
In addition to ransomware and hacking exploits, the AA report also highlights misconfiguration (that is, the exploitation of incorrectly assembled safeguards and web applications), malware (malicious software designed intentionally to cause damage to user systems) and phishing (fraudulent attempts to obtain sensitive information under the guise of trustworthy e-communications) as threats growing in both prevalence and success in garnering valuable information and funds from unsuspecting or underprepared entities.1 Personal information is by far the most common form of data being compromised in cybersecurity breaches, with losses in this regard occurring in over 50% of 2021’s disclosed attacks. Financial information (such as bank account and credit/debit card data) followed closely behind, while intellectual property and proprietary business information were also major targets, though at a less significant scale.1
Yet with all of this information being pilfered, only 4% of disclosures included information on the internal controls and cybersecurity safeguards in place for publicly-traded firms that may have been compromised in these attacks. The Sarbanes-Oxley (SOX) Act of 2002 – a measure which imposed more stringent oversight of the control systems that support external financial disclosures for companies listed on the U.S. stock exchange – requires disclosure of changes that indicate there could be a significant deficiency in companies’ internal controls over financial reporting and subsequent remediation made to improve internal controls. This makes the aforementioned 4% figure all the more puzzling, as one would expect the growing number of data breaches and ransomware attacks to have had more significant effects in this regard. Clearly additional reform is warranted to at the very least allow federal investigators to have a fighting chance in identifying and apprehending the actors behind these malicious attacks, with the SEC’s proposed rule likely to go a long way in this regard should it come to fruition.
- “Cybersecurity Report 2022 .” Audit Analytics, Apr. 2022.
- Murphy, Maria L. “AA Study: Cybersecurity Breach Disclosures Surge in 2021.” Compliance Week, 8 Apr. 2022.