At least 19 financial institutions have disclosed to investors in recent weeks that their computers were targets of malicious cyberattacks last year, a sign of growing openness among corporations about the breadth of cybersecurity incidents plaguing the private sector.
In their annual financial reports to the Securities and Exchange Commission, major banks such as Bank of America, Citi, Wells Fargo and JPMorgan Chase, along with smaller institutions, have reported that their systems were hit with computer disruptions or intrusions.
Almost all reported that they were targeted in last year’s highly publicized “distributed denial of service attacks" — efforts to disrupt access to websites by barraging servers with computer traffic. The assaults, which are ongoing, made headlines in the fall when U.S. officials said they believed they were the work of the Iranian government.
The disclosures are significant in that for years, companies, including banks, have been loathe even to acknowledge that they have been victims of such incidents.
But it appears that SEC guidance issued in October 2011 making clear that companies need to report significant computerized theft or disruption, combined with greater public attention to the issue, is forcing more disclosure. Also, the fact that the banks hit by the DDOS attacks have been named in media accounts has made ignoring them more difficult.
“It’s almost naive for most large companies in the critical infrastructure sector to say that they aren’t subject to attack," said Paul Smocer, president of BITS, a financial services trade organization.