What you need to know about the FINCEN Cybersecurity Advisory
In October of last year, the Financial Crimes Enforcement Network (FinCEN) released an advisory relating to cyber security. The advisory touched on many different aspects of cyber security, including providing clarifications and defining terms for the required and voluntary use of Suspicious Activity Reports (SARs) in relation to cyber events.
FinCEN provided differentiation between “cyber-events” (attempts to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information) and “cyber-enabled crime” (illegal activities carried out or facilitated by electronic systems and devices, such as fraud, money laundering, and identity theft). The advisory also defined “cyber-related information” as information that describes technical details of electronic activity and behavior like IP addresses, timestamps, indicators of compromise, and any data relating to the digital footprint of individuals and their behavior.
One of the most important parts of the advisory, however, were the guidelines for mandatory SAR reporting in regards to cyber events. This includes requiring financial institutions to report any suspicious transaction conducted or attempted by, at, or through the institution in the amount of $5,000 or more. It’s important to note that not only do you need to report the activity, but you should offer all available information relevant to the suspicious activity, descriptions and signatures of the cyber-event, attack vectors, command-and-control nodes, etc. The advisory also encouraged the voluntary reporting of cyber events when a SAR isn’t required. This could present itself in many different ways, one of which would be a distributed denial of service (DDoS ) attack that might affect your website without directly the impacting any customer data.
Another point of emphasis FinCEN made in the advisory was the need for BSA and IT staff to work jointly on cyber-related issues. By doing so, the BSA staff could walk the IT staff through the confidentiality and content components that SARs require. Conversely, the IT staff could help the BSA staff become more knowledgeable about the terminology and technicalities that will be needed to file cyber-related SARs (IP addresses, timestamps, etc.).