Is This the Newest Criticism at Your Next Exam?
Your bank should be filing a SAR for certain cybersecurity events.
When someone walks into your bank and cashes a check for $12,000.00, you need to file a Currency Transaction Report (CTR). But what if that person instead walks into your bank, shows you a $12,000.00 check and before asking you to cash it, says: “I know you have to report transactions at some dollar amount. I don’t want to cash this check if you have to report it. How big of a check can I cash before you report it?” Now you have learned that the individual may be trying to “structure” transactions to avoid CTR reporting. You need to file a Suspicious Activity Report (SAR); and you are already familiar with what details you should include in this type of SAR.
But do you know what circumstances would require your bank to file a SAR relating to a cyber event? What details are you expected to include? The U.S. Treasury Financial Crimes Enforcement Network (FinCEN) recently released an “Advisory to Financial Institutions on Cyber Events and Cyber-Enabled Crime.”* It guides banks on what events require a SAR filing and what information should be included in cyber-related SAR filings. Information such as IP addresses, timestamps, device identifiers and other technical details of electronic activity and behavior is important to include in the filing.
You should ensure your bank has the ability to obtain and interpret the technical details related to a specific attack so that you will have the necessary information with which to complete the SAR. For some types of attacks, it may be necessary to perform a certain amount of forensic investigation to obtain the necessary data. It is strongly recommended to determine if you or your existing vendors have forensic capabilities prior to needing the service and, if not, determine who the bank will select for these services.
Most banks are not very sure how far an attempted cyber attack must go before a SAR filing is appropriate: When is a SAR filing mandatory? When is a SAR filing voluntary but strongly encouraged by FinCEN? And, when is a SAR filing simply not necessary or helpful?
Every day, cyber criminals initiate hundreds of thousands of attempted attacks, probing for vulnerabilities that could give them an entry point into various banks’ data systems. While many of these attempted cyber attacks will be unsuccessful (if a bank has excellent information security), some will be very damaging. When no actual intrusion into a bank’s systems occurs, and there is no credible harm or threat to the bank’s operations or business, no SAR reporting will generally be required or expected.
FinCEN also recently released “Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs).”** This document gives some examples of cyber events that require a mandatory SAR filing, and also some where a SAR filing is voluntary but strongly encouraged.
A SAR filing is clearly mandatory when the bank’s systems have actually been penetrated by a cyber attack—whether or not confidential or sensitive information has been successfully accessed or damages have occurred. Attempted or actual stealing and use of customers’ confidential information for fraudulent purposes is assumed to meet the $5,000.00 threshold level for filing a SAR, and filing is mandatory.
Another category of cyber event directed at banks is the Distributed Denial of Service (DDoS) attack that blocks the bank’s website or other Internet-based applications from access, or that results in a substantially slowed response time on those systems. A DDoS attack by itself is not designed to penetrate the bank’s security systems and does not put customers’ confidential information at risk. A DDoS attack is nevertheless malicious, causing great inconvenience to customers and loss of customer confidence for the bank. In the case of a successful DDoS attack with no risk to data, a SAR filing to the FInCEN is voluntary but strongly encouraged. (Whether or not a SAR is filed, the bank should notify its primary federal regulator). Another type of attack combines a DDoS attack with a demand for a ransom payment to stop the attack; and in this case, the SAR filing would be mandatory if the amount being demanded is over $5,000.00.
While the recent FinCEN releases do not technically change existing filing requirements, they do clarify when FinCEN expects a bank to file a SAR related to cyber attacks. Banks should also be aware of specific guidance that their primary Federal banking regulator has issued concerning SAR filings as well.
Are you comfortable with the people and processes your bank has in place to protect the bank from cybersecurity events and to ensure your bank is meeting regulatory requirements relating to information technology?
Contact us at 800-498-8877, option 1, or at firstname.lastname@example.org to discover how BankOnIT helps banks to improve the efficiency, security and regulatory compliance of their information technology networks.