U.S. Bank to pay multi-million-dollar settlement for failing to fully disclose cybersecurity incident.

The decision-making process involved in disclosing a cyber incident is a nuanced and delicate dance. Companies need to consider a myriad of factors, including when to disclose and how much detail to disclose to employees, customers, or regulators, such as the Securities and Exchange Commission (“SEC”). 

A New York bank was recently forced to pay over $3.5 million to settle allegations that it minimized the extent of a cybersecurity incident in its SEC filings and public notices to customers. According to the SEC, the bank was negligent in making “materially misleading statements” regarding a cybersecurity incident involving the bank’s network between November 22, 2021 and December 25, 2021.

According to the SEC’s Order Instituting Cease-And-Desist Proceedings, the incident resulted in the “the encryption of data, network disruptions, and the exfiltration of the personally identifiable information (‘PII’) of approximately 1.5 million individuals, including customers, on December 3 and 4, 2021.” Specifically, a threat actor obtained “unauthorized access to [the bank]’s platform that enabled users to access [bank] applications and desktops remotely […], obtained credentials that enabled the threat actor to deploy ransomware that caused encryption on approximately 30% of [the bank]’s work stations and servers, and exfiltrated data, including customer PII, from its network.” The incident also impacted the bank’s “ability to originate, service, and close loans,” leading to the bank being forced to shut down its network for several hours, rebuild or restore servers, and reset passwords for employees. The bank was also forced to make a ransom payment in exchange for the threat actor’s promise to allow the bank to delete the exfiltrated data.

The SEC determined that the bank’s 2021 Form 10-K statement was materially misleading as the bank knew that at the time it was filed the bank had already experienced a cybersecurity attack that resulted in the exfiltration of the sensitive data of customers and employees, and had also interrupted the bank’s operations. From the SEC’s perspective, the 2021 Form 10-K statements characterized the cybersecurity attack as a hypothetical, when in fact it was not a hypothetical situation.

Additionally, the SEC found that the bank’s Customer Website Notice and 2022 Form 10-Q were misleading. The bank’s Customer Website Notice represented that there was only unauthorized access to the bank’s network, however, at the time the notice was released, it was aware that the “threat actor exfiltrated the PII of approximately 1.5 million individuals from [the bank’s] network.” 

Further, when the bank filed its 2022 Form 10-Q, it stated that it had only “recently experienced a cyber incident that involved unauthorized access to our network and other customer data.” In both the Customer Website Notice and the 2022 Form 10-Q, the SEC again found that the bank misrepresented the extent of the incident. It failed to include details on the scope or consequence of the incident, particularly with regard to its awareness that exfiltration occurred, and it failed to disclose that fact to customers.

Due to these misstatements and omissions, the SEC found that the bank violated Section 17(a)(2) of the Securities Act and Section 13(a) of the Exchange Act and Rules 12b-20, 13a-1, 13a-13 and 13a-15 resulting in the payment to the SEC.

What Went Wrong?

In the wake of a cyber incident, deciding, when, how and how much information to share can be a difficult decision, and waiting until a crisis happens before formulating a response can exacerbate an already challenging situation. Plans should be developed and updated regularly to address all foreseeable areas of impact – including, of course, SEC filings. Involving legal, communications, and compliance resources, whether internal or external, becomes particularly critical when regulatory disclosures come into play.

Proactive Steps To Take – Regardless of Your Industry

Cybercrime is one of the most prevalent forms of fraud, regardless of industry, and companies should consider taking the following steps to prevent both cyber incidents and SEC reporting missteps:

• Ensure the company maintains robust cybersecurity measurers to protect PII and financial information
• Ensure that only authorized personnel have access to sensitive data
• Regularly review and update cybersecurity policies and procedures
• Stay current on latest fraud trends and prevention techniques (such as AI)
• Provide adequate cybersecurity incident training
• Maintain clear lines of communication between the communications and legal teams
• Develop and update a clear process to fully identify and comply with all applicable regulatory requirements, including a clear process to properly inform the disclosure process to ensure factual and legal accuracy

Key Takeaways

If nothing else, the recent settlement demonstrates the importance of understanding regulatory expectations when faced with a cybersecurity incident. It is critical that companies immediately investigate the root cause and impact of the incident, determine whether exfiltration has occurred, analyze the company’s reporting obligations to regulators, individuals, and customers, and quickly determine the information necessary to disclose in a Form 10-Q, 10-K, or 8-K. Companies must review their incident response plans and protocols proactively and ensure that their executive leadership and incident response teams know how to respond, including having a robust disclosure process.