Subsequent Events

9 Months Ended

Sep. 30, 2020

Subsequent Events [Abstract]

Subsequent Events

Note 12. Subsequent Events

Subsequent to the quarterly period ended September 30, 2020, the Company detected and confirmed that the Bank and certain of its customers and employees were the target of an external, criminal cyber-attack involving theft and fraudulent activity perpetrated by third-party cybercriminals.

On or about October 8, 2020, Bank management discovered that one or more unauthorized persons had gained unlawful access to the account information of two customers (as identified to date), using such information to fraudulently create online banking accounts.  These fraudulent online accounts were then used to originate three fraudulent wire transfers (as identified to date) during the first week of October 2020.  While Bank management was able to timely prevent any further fraudulent wire transfer attempts, the cybercriminals managed to execute fraudulent wire transfers of cash in an amount totaling approximately $199 thousand.

Immediately upon discovery of this cyber incident, management recalled the wires from the other relevant financial institutions and reported the matter to appropriate Virginia and Federal law enforcement authorities, including the Virginia State Police High Tech Crimes Division and the U.S. Federal Bureau of Investigation Cyber Division, as well as the Bank’s regulators.  In addition, management also engaged outside legal counsel, Woods Rogers PLC, who engaged a third-party information technology forensics advisor to oversee an internal forensic investigation and advise Bank management and the Company’s Board of Directors concerning this matter.  Management has received confirmation from the banks receiving the fraudulent wires that a significant portion of the wired funds are held and anticipated to be returned to the Bank.

Based on this internal forensic investigation, management believes that two Bank employees may have been the target of phishing attempts by cybercriminals, resulting in Microsoft Office 365 accounts of two Bank employees being accessed by a threat actor beginning in late July 2020.  The Company’s internal forensic investigation suggests that the Bank and certain of its customers and employees' information may have been illegally accessed by an external, criminal threat. It is unknown at this time whether the suspected Microsoft Office 365 account incident and the fraudulent wire transfers are related.  The subset of Bank customers whose personal information was, or may have been, accessed as part of this cyber incident are in the process of being notified and supplied with additional information and resources, including credit monitoring.

Based on the nature of the incident, our research and internal forensic investigation and third party (including law enforcement) investigations, management has determined that, to date, this cyber incident has not had, and is not expected to have, any material effect on the Company or its financial statements, legal proceedings, reputation or customer relationships.  However, investigations into this cyber incident by management, outside legal counsel, the third-party forensics advisor and law enforcement remain ongoing.