Federal Financial Insitutions Examination Council

New Cybersecurity Reporting Requirements? FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report

FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report Financial Building Facade

Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs).  This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.”  It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT).  Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.

READ MORE