FinCEN Advisory on Cyber-Events and Cyber-Enabled Crime Part 2 - What Should Be Reported in a Cyber-Related SAR
Written by Shari R. Pogach, Regulatory Paralegal, NCBSO
As weâÂÂve previously blogged, last week the Financial Crimes Enforcement Network (FinCEN) issued FIN-2016-A005, its guidance to financial institutions on reporting cyber-related events and cyber-enabled crime. So what kind of information should a credit union include in a suspicious activity report (SAR) when reporting such activity?Â
First, FinCEN reminds filers that SARs are to be complete, accurate and incorporate all relevant information regarding suspicious activity, including cyber-related information. Why? Since todayâÂÂs financial transactions increasingly occur through the use of electronic systems and resources, any illicit financial activity will often have a digital footprint leading back to the individuals, their associates, their activity and any related suspicious transactions. So any SAR (including a voluntary SAR) should include any available cyber-related information reporting any suspicious activity. Examples of cyber-related information include: IP addresses with time stamps, virtual-wallet information, device identifiers and cyber-event information. FinCEN states that financial institutions should document and give a detailed description of the suspicious activity reported. SAR narratives should include descriptive cyber-related information as well as any cyber-related identifiers where there is not a pre-designated SAR field.
So when possible a cyber-related event SAR should include:
- Description and magnitude of the event
- Known or suspected time, location, and characteristics or signatures of the event
- Indicators of compromise
- Relevant IP addresses and their timestamps
- Device identifiers
- Methodologies used
- Other information the institution believes is relevant
FinCENâÂÂs advisory includes an attachment of frequently asked questions (FAQs) with specific details and technical specifications on completing SARs concerning cyber-events and cyber-enabled crime. The agency states these FAQs supersede its 2001 FAQs on computer intrusion as the new document provides new information and additional details. As one example, the new guidance notes that cyber-events and cyber-enabled crime can involve event-specific information. Still, FinCEN requests that SAR filers be consistent and use common and accepted terminology. One resource filers can use is the Glossary of Key Information Security Terms (May 2013), a publication issued by the National Institute of Standards and Technology (NIST). The guidance also clarifies how a financial institution is to report when it experiences numerous cyber-events; what it should do in instances of continuous scanning or probing of an institutionâÂÂs systems or network; and whether to report when an otherwise reportable cyber-event is unsuccessful.
FinCEN recommends institutions circulate the advisory with: cybersecurity units, network administrators, risk departments, fraud prevention units, BSA/AML management, AML intelligence units and AML analysts/investigators. According to the agency, it is not* creating any new obligation or expectation requirement for financial institutions to collect cyber-related information as a matter of course. (*wink)