105 Iowa L. Rev. 239 (2019)

Download PDF

Abstract

Financial institutions are increasingly subject to cyber incidents and attacks. Cyber intrusions threaten these institutions’ balance-sheets and reputations, and can undermine their resilience. From a societal perspective, cyber risk is particularly concerning as it regards systemically important financial institutions, like the largest internationally active banks. This is because the stability of the financial system as a whole—and thus the real economy—depends on these banks’ resilience to stressful events, including cyber attacks. To date, the SEC has taken the lead among the financial regulators in addressing cyber risk, chiefly through an emphasis on disclosure. This Article critically examines the existing design of that mandatory disclosure regime by reviewing the content of nearly 900 SEC filings made by the seven systemically important U.S. bank holding companies over a threeyear period. That review suggests that the current trajectory of SEC rules and guidance is in some ways overbroad as applied to these institutions; but in other ways, the rules and guidance remain inadequate to address the various public and private interests at stake. The Article urges the SEC to design a more nuanced set of rules for cyber disclosure, which would be better tailored for systemically important banks.