DDoS: How to Report the Details When it comes to reporting cyber-attack activity to the Securities and Exchange Commission, U.S. banking institutions should avoid a boiler-plate approach and be mindful of the details, says Doug Johnson, who oversees risk management policy for the American Bankers Association. "The SEC back in October of 2011 clarified existing rules and guidance as it related to what an institution that's publicly traded has to do, in terms of responsibility for reporting these types of events," Johnson says during an interview with Information Security Media Group (transcript below). That disclosure, he adds, needs to be tailored to a company's individual circumstances (see Top Banks Offer New DDoS Details). "The institution should avoid the boiler-plate language associated with the attack," Johnson explains. "They should describe what the attack looked like, what the materiality was, what the company has done to address those risks, and what the costs and consequences to the company would be." As distributed-denial-of-service attacks continue to strike financial institutions of all sizes, publicly traded institutions have certain reporting obligations set by the SEC they must keep in mind, he adds. Failing to adhere to those reporting requirements could result in fines and penalties later down the road, Johnson says. During this interview, Johnson also reviews: • How banking institutions should communicate about an attack with customers and the general public; • The challenges banking institutions face when it comes to sharing too much information; • Why collaborating with industry peers, law enforcement and banking industry groups is becoming increasingly critical. Johnson leads the ABA's enterprise risk, physical and cyber security, business continuity and resiliency policy and fraud deterrence efforts. He has assisted in the ABA's release of a series of resources designed to help deter bank robberies, assess information technology risk, deter phishing, safeguard customer information and buttress emergency preparedness. He also represents the ABA on the Financial Services Sector Coordinating Council, which advises the federal bank regulatory agencies on homeland security and critical infrastructure protection issues, and he serves on the BITS/Financial Services Roundtable Security Steering Committee, in addition to his involvement with FS-ISAC. Cyberthreat Landscape TRACY KITTEN: Can you give us a brief overview of the current landscape and the cybersecurity concerns banking institutions are most focused on? DOUG JOHNSON: First, I think that you're correct in portraying the majority of the cyber-attacks as being disruptions of systems, rather than intrusions of systems. But that doesn't mean that disruptions and intrusions can't happen at the same time, and I think that's one thing that we, as banking companies, are very, very mindful of - the fact that these attacks are becoming increasingly sophisticated. With their sophistication, they could take on various different types of attack vectors. They can attempt to disrupt, as well as intrude, systems, so we need to be aware of both. We need to be aware that the volume of attacks is going to be increasing as well, as we've seen over the course of the last year. Attacks will take multiple fronts.
Reporting Responsibilities KITTEN: In late December, the Office of the Comptroller of the Currency reminded banking institutions that they're required to track and report DDoS and other cyber-attack activity. What exactly are banking institutions' reporting responsibilities? JOHNSON: There are a variety of different responsibilities. Some of the responsibilities do relate to the reporting of suspicious activity through suspicious activity reports. Some of them involve talking specifically to the field examination functions. Your primary federal regulators, obviously, have a very important role here, and the specific examiners that examine your institution are going to be very interested in whether or not you're being attacked as a company and what you're doing, essentially, to respond to that attack. Some institutions, because they're publicly traded, also have reporting responsibilities associated with security filings and the like. Source: http://www.bankinfosecurity.com/ddos-how-to-report-details-a-5720