The Financial Crimes Enforcement Network, or FinCEN, an arm of the United States Department of the Treasury, issued an advisory last week to remind financial institutions of their obligations to report cyber-events on Suspicious Activity Reports (SARs). While FinCEN emphasizes that its advisory does not change existing reporting requirements, it goes to lengths to discuss its “expectations” about what and how information will be reported when it comes to cybersecurity events.
By way of background, financial institutions are required by the Bank Secrecy Act (“BSA”) to report suspicious or potentially suspicious activity conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. The advisory delineates those cybersecurity events that trigger a mandatory filing from those in which a financial institution should consider making a voluntary filing. FinCEN takes a broad view of SARs reporting requirements, including within its description of cybersecurity events that trigger mandatory reporting not only those events “known” by a financial institution to have actually affected a financial transaction, but also those it “suspects, or has reason to suspect” were “intended to affect” a transaction or series of transaction. FinCEN reasons that such events are “unauthorized” and “relevant to a possible violation of law or regulation.” With regard to voluntary reporting, FinCEN cites the need to safeguard customers and the nation’s financial systems from the threats posed by traditional criminal, cybercriminals, state actors, and terrorists as a reason to encourage such reporting.
Regardless of whether a SARs filing is mandatory or voluntary, the FinCEN advisory directs financial institutions to use a SAR to provide information about cybersecurity events, guides financial institutions as to what information they should report in the SAR, instructs financial institutions to cooperate across units within the organization, and encourages them to cooperate across the financial industry.
In particular, FinCEN advises financial institutions to:
1.Report “cyber-enabled crime and cyber-events” in SARs and encourages the use of comma separated value (CSV) to provide information and data in tabular form.
2.Include all relevant and available information known to the financial institution, including a detailed description of the event and its magnitude, the nature of the attack or incident, attack vectors, methodologies used, IP addresses with timestamps, virtual-wallet information, device identifiers, information and systems targeted, and other information.
3.Collaborate, communicate and share information across the organization, including with business units addressing cyber-security, BSA and anti-money laundering compliance, and fraud prevention. FinCEN believe such collaboration will lead to more comprehensive threat assessment and risk management strategies.
4.Share information and work together with other financial institutions to identify threats, vulnerabilities, known or suspected criminals and criminal activity.
FinCEN is the latest banking regulator to call for stricter cybersecurity regulations during the past month. On October 19th, federal banking regulators sought comments on enhanced cyber risk management standards for the nation’s largest financial institutions. And in September, the New York Department of Financial Services announced sweeping and detailed new regulation requiring banks and insurance companies that operate in New York to meet stringent new cybersecurity standards.