Last month, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued an Advisory which provided substantial guidance to financial institutions regarding the scope of information that must be provided in Suspicious Activity Reports (SARs) arising from cyber-events, cyber-enabled crime, and cyber-related information under the Bank Secrecy Act (BSA).

When are financial institutions required to report cyber-events pursuant to the BSA?

Pursuant to the BSA and its implementing regulations, a financial institution is required to report any suspicious or attempted transaction involving $5,000 or more in funds or other assets. If the suspicious or attempted transaction involves a cyber-event, it now falls squarely within the reporting requirements under the BSA. Accordingly, cyber-events targeting financial institutions that could affect a transaction or series of transactions over the reporting threshold amount must be analyzed as a suspicious transaction.

In determining whether a cyber-event should be reported, a financial institution should consider all available information surrounding the cyber-event, including its nature and the information and systems targeted. Similarly, to determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event.

What cyber-related information must be included in a SAR?

When filing a mandatory or voluntary SAR involving a cyber-event, financial institutions should provide the following information:

  1. a description of the event to include information regarding the magnitude of the event;
  2. known or suspected time, location, and characteristic/signatures of the event;
  3. indicators of compromise;
  4. relevant IP addresses and their timestamps;
  5. device identifiers;
  6. methodologies used; and
  7. all other information the financial institution believes is relevant.

In addition, the Advisory explains that institutions subject to a large volume of cyber-attacks are permitted to report the cyber-events through a single cumulative SAR if the cyber-events are substantially similar in nature.

The Importance of Collaboration between BSA/AML and IT Cybersecurity within the Institution

In order to ensure an institution has implemented a comprehensive threat assessment program and developed appropriate risk management strategies and responses to cyber-events, it is imperative that the essential departments, BSA/AML compliance, legal, cybersecurity and IT work hand-in-glove to identify, report, and mitigate cyber-events and cyber-enabled crime. Likewise, these departments should have a structured reporting and feedback loop system wherein they share information from across the organization, hold regular meetings to discuss issues, provide cross-training between departments and have written policies and procedures that facilitate cooperation. This type of internal cooperation will provide for more comprehensive, accurate and complete SAR reporting and is consistent with the underlying principal and primary goal of FinCEN’s Advisory to “help U.S. authorities combat cyber-events and cyber-enabled crime” targeted at financial institutions.