Building a Cyber Risk Management Program by Brian Allen

Author:Brian Allen
Language: eng
Format: epub
Publisher: O'Reilly Media
Published: 2023-12-11T00:00:00+00:00

When Multiple Risks Combine to Become a Material Risk

Beginning in late 2016, Wells Fargo, one of the largest and most important US-based financial institutions, was caught up in a huge scandal involving the creation of millions of fraudulent bank accounts for clients without their consent. Representatives of Wells Fargo’s US banking operation added new accounts to clients’ existing ones—creating credit card accounts for clients who had only checking or savings accounts—without their consent or even their knowledge, with the result that these customers incurred additional fees and charges.

Regulatory agencies, including the US. Consumer Financial Protection Bureau (CFPB), fined Wells Fargo a total of $185 million for what it clearly established was widespread fraud. Lawsuits—many of them still ongoing—requested damages of almost $3 billion. The bank’s CEO was forced to resign, and the company suffered severe reputational damage that continues to this day.

The Wells Fargo scandal is an excellent example of what we mean when we say that risks become material in the aggregate. The creation of each of the fraudulent accounts represented only a comparatively minor infraction. (To be clear, each was still almost certainly a criminal fraud, but its cost to each individual client was, in most cases, fairly small.) If the practice had, for example, been limited to a single bank branch, or even a single operating region, it would likely not have represented a materially relevant risk—that is, it would likely not have needed to be disclosed to the SEC and other regulators. But the investigations into the case clearly established that the fraud was far-reaching and resulted from intense corporate pressure for branch representatives to engage in a practice called “cross-selling.” Investigations also established that Wells Fargo’s most senior management knew or should have known that widespread fraud was taking place. That made all those small fraudulent transactions “material in the aggregate” and therefore subject to the disclosure rules of the SEC and other regulatory bodies. This also turned a series of small issues into a massive problem that’s still causing Wells Fargo, and of course its shareholders, serious damage.

Here’s an example of how this would work in relation to cyber incidents: a series of several small breaches—the digital equivalent of all those small frauds—could be material in aggregate. That could obviously be relevant to an investor who’s considering buying or selling shares in the enterprise—and that’s what potentially makes it a material incident. The SEC specifically made mention in its latest cyber rule stating that the definition of a “cybersecurity incident” would extend to a “series of related unauthorized occurrences.” Examples include the same malicious actor engaging in a number of smaller but continuous cyberattacks related in time and form, or a series of related attacks from multiple actors exploiting the same vulnerability and collectively impeding the company’s business materiality.

Download

Copyright Disclaimer:
This site does not store any files on its server. We only index and link to content provided by other sites. Please contact the content providers to delete copyright contents if any and email us, we'll remove relevant links or contents immediately.