From: BankInfo Security
ABA’s Johnson Explains SEC Requirements
By Jeffrey Roman
When it comes to reporting cyber-attack activity to the Securities and Exchange Commission, U.S. banking institutions should avoid a boiler-plate approach and be mindful of the details, says Doug Johnson, who oversees risk management policy for the American Bankers Association.
“The SEC back in October of 2011 clarified existing rules and guidance as it related to what an institution that’s publicly traded has to do, in terms of responsibility for reporting these types of events,” Johnson says during an interview with Information Security Media Group (transcript below).
That disclosure, he adds, needs to be tailored to a company’s individual circumstances (see Top Banks Offer New DDoS Details).
“The institution should avoid the boiler-plate language associated with the attack,” Johnson explains. “They should describe what the attack looked like, what the materiality was, what the company has done to address those risks, and what the costs and consequences to the company would be.”
As distributed-denial-of-service attacks continue to strike financial institutions of all sizes, publicly traded institutions have certain reporting obligations set by the SEC they must keep in mind, he adds.
Failing to adhere to those reporting requirements could result in fines and penalties later down the road, Johnson says.
During this interview, Johnson also reviews:
- How banking institutions should communicate about an attack with customers and the general public;
- The challenges banking institutions face when it comes to sharing too much information;
- Why collaborating with industry peers, law enforcement and banking industry groups is becoming increasingly critical.
Johnson leads the ABA’s enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA’s release of a series of resources designed to help deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and he serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC.