Who Deserves to Know About Bank Cyber Threats?

As banks prepare for new rules governing when cybersecurity attacks must be reported to federal regulators, a new survey shows customers and the general public are still left in the dark about many threats.

Out of 95 global banks that responded to a Moody’s Investors Service survey, about two-thirds said they notified their boards of directors about a cyber event during the 12-month period that ended in April 2021. About 60% of the banks surveyed said they reported at least one such event to regulators.

But only 33% of the banks said they had reported a cyber incident to their customers, and just 14% said they had issued a public notice.

“Clearly there seems to be a disconnect between what's being reported to the board and then what's being reported to external stakeholders,” said Leslie Ritter, senior analyst at Moody’s and one of the lead authors of the report.

Three banking regulators, including the Federal Deposit Insurance Corp., implemented a rule this month that requires banks to report certain computer security incidents within 36 hours. The compliance date for the new rule is May 1.

The Securities and Exchange Commission also proposed a rule last month that would bolster its existing regime, requiring companies to report not just “material” cybersecurity incidents, but also provide updates on previous incidents, to disclose what expertise the company’s management has in assessing cybersecurity risks, and more.