The Financial Crimes Enforcement Network, the enforcement arm of the Treasury Department, has issued new guidance for financial institutions regarding cyber-events and cyber-enabled crime. The advisory, and an accompanying set of “frequently asked questions,” focus on the reporting of breaches and cyber-enabled crime through Suspicious Activity Reports.
The guidance is targeted to financial institutions, casinos, depository institutions, the insurance industry, money services businesses, mortgage broker, the precious metals and jewelry industry, and firms dealing in securities and futures.
The advisory does not change existing BSA requirements or other regulatory obligations for financial institutions. They should continue to follow federal and state requirements and guidance on cyber-related reporting and compliance obligations, FinCEN says. Financial institutions should also note that filing a SAR does not relieve them from any other applicable requirements to timely notify appropriate regulatory agencies of events concerning critical systems and information or of disruptions in their ability to operate.
Mandatory SAR reporting of cyber-events
A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.
In determining whether a cyber-event should be reported, an institution should consider all available information, including its nature and the information and systems targeted. To determine monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the event.
Financial institutions should also be familiar with any other cyber-related SAR filing obligations required by their functional regulator.
The guidance provides an example of a cyber-event and the expected reporting in its aftermath. Through a malware intrusion, cyber-criminals gain access to a bank’s systems and information. Following its detection, the bank determines that the attack put $500,000 of customer funds at risk. The bank reasonably suspects the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers’ funds.
The bank must file a SAR because, although no actual transactions may have occurred, it has reason to suspect the intrusion could have conducted unauthorized transactions aggregating or involving at least $5,000 in funds or assets.
Voluntary reporting of cyber-events
FinCEN encourages, but does not require, financial institutions to report “egregious, significant, or damaging cyber-events and cyber-enabled crime when such events and crime do not otherwise require the filing of a SAR.”
An example is given of a denial of service (DDoS attack) that disrupts a bank’s website and disables online banking services for a significant period of time. After mitigating and investigating the attack, the affected financial institution determines that it was not intended to, and could not have, affected any transactions. Although a financial institution is not required to report such a DDoS attack, FinCEN encourages the institution to consider filing a SAR because the incident caused online banking disruptions that were particularly damaging to the institution.
Cyber-Related Information in SARs
Financial institutions should include available cyber-related information when reporting any suspicious activity, including those related to cyber-events. Related information includes, but is not limited to, IP addresses with timestamps, virtual-wallet information, device identifiers, and cyber-event information.
When filing a mandatory or voluntary SAR involving a cyber-event, financial institutions should provide complete and accurate information, including relevant facts in appropriate SAR fields, and information about the incident in the narrative section of the SAR. As needed, institutions may also attach a comma-separated value (CSV) file to SARs to report data, such as transaction details, in tabular form.
To the extent available, SARs involving cyber-events should include: a description and magnitude of the event; known or suspected time, location, and characteristics or signatures of the event; indicators of compromise; relevant IP addresses and their timestamps; device identifiers; methodologies used; and other information the institution believes is relevant
Institutions subject to large numbers of cyber-events may report them through a single cumulative SAR filing when they are similar in nature. For example, a bank may file one SAR to report several malware intrusions if these events share common characteristics and indicators such as the methodology used, the vulnerability exploited, and IP addresses involved.
In the event a financial institution’s filing software is not yet capable of including certain relevant information such as cyber-related information, it should manually complete discrete SAR filings until it updates its software to allow the inclusion such information. Financial institutions can submit discrete SARs through FinCEN’s BSA E-Filing System.
As for the information that should be included in a SAR report, financial institutions should include available Internet Protocol (IP) addresses and accompanying timestamps associated with fraudulent wire transfers being reported, even if a cyber-event was not involved in the suspicious activity. A cyber-event should be reported regardless of whether it is considered unsuccessful. A financial institution is required to file a SAR to report any such incident if it knows, suspects, or has reason to suspect the cyber-event was intended to or could affect a transaction conducted or attempted by, at, or through the entity.
Similarly, when suspicious transactions do involve cyber-events, a financial institution should include in SARs all relevant and available information regarding the suspicious transactions and the cyber-event—including the type, magnitude, and methodology of the cyber-event as well as signatures and facts on a network or system that indicate a cyber-event.
FinCEN recognizes that filing a SAR to report each time an institution’s system or network is scanned or probed is impractical and could detract from efforts to guard against more significant money laundering and cyber-threats. However, when filing a SAR on a reportable cyber-event, institutions may include information about the scanning and probing of their systems and networks if available and relevant. To the extent that an entity reports scanning and probing, it may do so using cumulative SARs when such activity is too numerous to be reported individually.