MainStreet Financial institution mentioned a cyberattack affecting one in all its distributors uncovered the delicate data of about 5% of its prospects.
In regulatory filings with the Securities and Change Fee (SEC) on Friday afternoon, MainStreet Bancshares said it was knowledgeable in March that the seller was compromised.
“Though every vendor undergoes an intensive safety vetting course of, we swiftly ceased all exercise with this supplier,” the corporate mentioned, including that they concluded a evaluation of the scope of the incident in late April.
The corporate didn’t reply to a request for remark about what number of prospects had been affected and what data was stolen. The Fairfax-based financial institution has 55,000 ATMs and branches throughout Virginia and Washington, D.C.
An investigation decided that MainStreet Financial institution’s methods had not been compromised and no unauthorized transactions had been carried out. They discovered no proof that cash was stolen from any accounts, and prospects have continued to have the ability to conduct transactions.
MainStreet Financial institution mentioned it notified regulators of the incident and knowledgeable prospects on Could 26. The corporate created monitoring methods and supplied victims with “instruments to watch any suspicious exercise.”
In line with the submitting, the incident has not had a “materials influence” on the corporate’s operations.
MainStreet Financial institution reported deposits of about $1.9 billion within the final quarter and a web earnings of $2.5 million. In 2024, the corporate reported a lack of $9.98 million.
The submitting comes days after 5 main banking associations sent a letter to the SEC demanding it rescind the cyber incident disclosure rule that forces banks to report cyberattacks.
The rule, which went into impact final yr, has been attacked repeatedly by members of Congress and banks, a lot of which argue that the necessities “impose extra dangers, value, and complexity on SEC registrants, undermining the SEC’s mission to facilitate capital formation, whereas additionally failing to generate the kind of decision-useful data which might advance the SEC’s mission to guard buyers.”
The associations mentioned within the letter that the preliminary fears expressed by trade “have manifested.”
“Registrants have been pressured to publicly disclose an incident even whether it is ongoing, the corporate’s investigation will not be full, and the incident has not been totally remediated,” they mentioned.
“The untimely disclosure has harmed registrants and on the identical time failed to offer the market with significant or actionable data upon which to make funding selections.”
The letter notes that regardless of repeated efforts by the FBI, Justice Division and SEC to clarify the rule, banking establishments and SEC-regulated firms are nonetheless confused about when to file incidents.
The banks claimed that hackers have began to leverage the reporting requirement towards them, utilizing it “as extra extortion leverage,” — referencing a 2023 incident the place the AlphV ransomware gang extorted monetary software program firm MeridianLink. They mentioned there have been different cases “the place risk actors have deployed related strain on victims and referenced the incident disclosure requirement in reference to threats and calls for.”
“The incident disclosure requirement has been weaponized as an extortion methodology by ransomware criminals to additional malicious targets, and should topic disclosing firms to extra cybersecurity threats,” they mentioned, including that the monetary sector already has to adjust to no less than 10 confidential incident reporting necessities.
One of many greatest points — whether or not an incident is “materials” to an organization’s monetary standing — has continued to trigger confusion, the banking associations mentioned. Of the 32 filings thus far, solely 9 recognized a fabric influence of their preliminary disclosures, and simply two extra did so in amended filings.
“Somewhat than offering readability, the inconsistent use of [the rules]… injects uncertainty into the market and undermines the target of standardized, decision-useful disclosure,” they mentioned.
Recorded Future
Intelligence Cloud.
