“Cybersecurity” is the new buzzword in many conversations these days. And, the most recent to weigh in on the cybersecurity topic is FinCEN. On October 25th, 2016, it issued an advisory reminding financial institutions of their obligations for filing SARs when a “cyber-event” occurs. Let’s dig into this a little bit and see if there is anything new in this advisory.
First, FinCEN defined “cyber-event” for us, so that helps us understand what we are dealing with. A cyber-event is “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information.” Ok, nothing new there, but there is a keyword we should pay attention to in that sentence. The word is “attempt”. We don’t file a SAR just when something bad has actually happened. We should file a SAR whenever we discover that a cybersecurity event has been attempted. This means any attempt to seek unauthorized access to electronic systems, services, resources, or information in order to conduct unauthorized transactions should trigger a SAR filing.
FinCEN also provides some reasoning behind why a cyber-event merits a SAR filing. As we all know, we are required to report suspicious activity conducted or attempted that involves or aggregates to $5,000 or more in funds. So, first, FinCEN says that if there is reason to believe a cyber-event was intended to conduct a transaction or series of transactions, it should be considered a “suspicious transaction” because it is unauthorized. Then, if the financial institution has reason to suspect the cyber-event did or could have resulted in unauthorized transactions aggregating or involving at least $5,000 in funds, we have the final SAR qualifier. It’s interesting that the cyber-event doesn’t have to result in any loss of funds, but must only have the potential and reason to believe that it could have.
And, just for good measure, FinCEN also states that in cases where a cyber-event wouldn’t require a SAR filing based on the above information, it encourages financial institutions to file a SAR anyway, as this information is usually highly valuable to law enforcement investigations.
In the advisory, FinCEN also provided helpful information about what should be included in a cybersecurity SAR filing. Examples of such information are:
- Description and magnitude of the event
- Known or suspected time, location and characteristics or signatures of the event
- Command-and-control nodes
- IP addresses with timestamps
- Methodologies used
- Virtual-wallet information
- Device identifiers
- Any other relevant information
Sounds like you will definitely need your IT department’s help on this.
The final statement in the advisory is that it is not intended to create any new obligation that would require financial institutions to collect cyber-related information as a matter of course. But, you can be sure if you do have that information, you better file a SAR. Cybersecurity is here to stay, so we better get onboard now by monitoring and reporting this activity.