MainStreet Bank has reported a vendor cyber incident that unfortunately exposed sensitive customer information for about five percent of its clientele. In regulatory filings made with the Securities and Exchange Commission last Friday afternoon, the bank stated it was informed in March. Although each vendor reportedly undergoes thorough security vetting, MainStreet Bank swiftly ceased all activity with this specific third-party provider immediately. The bank then concluded its own internal review of the incident’s full scope and overall impact in late April before acting further. MainStreet Bank’s own systems were not compromised in this event, and no unauthorized transactions were actually conducted on any accounts.
The company also found no direct evidence that any money was stolen from its customer accounts during this security incident. Customers have furthermore continued to be able to conduct all their transactions as normal without any significant widespread interruption. MainStreet Bank has officially notified all relevant regulators of this incident and also directly informed its affected customers on May 26th. It also quickly created new monitoring systems and subsequently provided its victims with specific tools to help them monitor any suspicious activity. According to the bank’s official filing, this vendor-related incident has not had a “material impact” on its current overall business operations.
This important disclosure notably comes just days after five major banking associations sent a formal letter directly to the SEC. In this letter, they are demanding that the agency completely rescind its new cyber incident disclosure rule for public companies. This controversial rule, which went into full effect last year, forces banks and other SEC registrants to publicly report cyberattacks. The banks argue this rule imposes additional risks, substantial unforeseen costs, and undue complexity, thereby undermining the SEC’s primary mission.
They also claim it fails to generate decision-useful information which would advance the SEC’s mission to adequately protect all investors.
The banking associations further assert that this premature disclosure requirement has unfortunately harmed registrants and also failed to provide the market. Furthermore, they claim that sophisticated hackers have now started to leverage this mandatory reporting requirement directly against their victims. They use it as an additional extortion leverage point during their illicit negotiations with the compromised companies after an attack. The financial sector, they note, already has to comply with at least ten other confidential incident reporting requirements for various agencies. Determining if an incident is truly “material” to a company’s financial standing also continues to cause widespread significant confusion. This leads to inconsistent public filings by various companies under the new rule.
Reference:
