Download This PaperBank Disclosures of Cyber Exposure
43 Pages Posted: 6 Feb 2020
Date Written: November 1, 2019
Abstract
Financial institutions are increasingly subject to cyber incidents and attacks. Cyber intrusions threaten these institutions’ balance-sheets and reputations, and can undermine their resilience. From a societal perspective, cyber risk is particularly concerning as it regards systemically important financial institutions, like the largest internationally active banks. This is because the stability of the financial system as a whole—and thus the real economy—depends on these banks’ resilience to stressful events, including cyber attacks. To date, the SEC has taken the lead among the financial regulators in addressing cyber risk, chiefly through an emphasis on disclosure. This Article critically examines the existing design of that mandatory disclosure regime by reviewing the content of nearly 900 SEC filings made by the seven systemically important U.S. bank holding companies over a three-year period. That review suggests that the current trajectory of SEC rules and guidance is in some ways overbroad as applied to these institutions; but in other ways, the rules and guidance remain inadequate to address the various public and private interests at stake. The Article urges the SEC to design a more nuanced set of rules for cyber disclosure, which would be better tailored for systemically important banks.
Keywords: disclosure, banks, SIFI, cyber risk, securities regulation
Suggested Citation: Suggested Citation
Christina Parajon Skinner (Contact Author)
University of Pennsylvania - The Wharton School ( email )
3641 Locust Walk
Philadelphia, PA 19104-6365
United States
European Corporate Governance Institute (ECGI) ( email )
c/o the Royal Academies of Belgium
Rue Ducale 1 Hertogsstraat
1000 Brussels
Belgium
