Community bank MainStreet Bancshares has reported that a recent data breach at a third-party provider has compromised the information of approximately 4.65 percent of its customer base. This disclosure was made to the U.S. Securities and Exchange Commission (SEC) on Friday, marking a significant incident in the ongoing conversation surrounding cybersecurity in the banking sector.
The breach, which was discovered in March, highlights the vulnerabilities that can exist within the supply chain of financial services. MainStreet Bancshares confirmed that while its own infrastructure remained secure, the unauthorized access to sensitive data occurred through an external vendor that has yet to be identified.
Despite not confirming the exact number of affected customers, MainStreet provided insights into its operations, noting that total deposits grew by 13 percent last year, reaching $1.9 billion. The bank operates approximately 55,000 ATMs and has six branches across Virginia and Washington, DC, serving more than 1,000 businesses.
Upon learning of the breach, MainStreet activated its incident response plan, ceasing operations with the affected vendor. The bank indicated that appropriate monitoring systems were established, and impacted customers were notified with tools to assist in monitoring any possible suspicious activity. Additionally, the SEC filing noted that no unauthorized transactions had taken place.
This incident comes amid discussions among U.S. banking leaders regarding regulatory requirements for disclosing cybersecurity incidents. Banking organizations, including the American Bankers Association and the Bank Policy Institute, have called for a repeal of certain SEC regulations that they argue create confusion and can lead to undue risk during initial investigation phases.
The Item 1.05 rule, effective as of December 2023, requires rapid reporting of cybersecurity breaches, which the banking bodies argue often results in premature disclosures that lack actionable information for investors. They assert that such regulations inadvertently empower criminal entities and complicate compliance for financial institutions.
The letter from the participating banking organizations requests collaboration with the SEC to develop a more balanced approach to cybersecurity disclosures. They emphasized the need for transparency without compromising the security and operational stability of the financial sector.