suspicious activity report

New Cybersecurity Reporting Requirements? FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report

FinCEN Advisory Identifies Cybersecurity Events for Financial Institutions to Report Financial Building Facade

Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs).  This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.”  It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT).  Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.

READ MORE

FinCEN to Financial Institutions: Include Cyber Data in Suspicious Activity Reports (SARs)

cyber data

As new legislation aimed at facilitating greater cybersecurity information sharing between private industry and government takes effect (i.e., Cybersecurity Information Sharing Act), FinCEN Director Jennifer Shasky Calvery recently called for “financial institutions to include cyber-derived information (such as IP addresses on bitcoin wallet addresses) in suspicious activity reports.”  Director Shasky Calvery’s statement dovetails with the Federal Financial Institutions Examination Council (FFIEC)  Cybersecurity Assessment Tool (CAT) launched last year that we discussed previously, which lists “threat intelligence and collaboration” through information-sharing forums as one of five key “domains” for assessing cybersecurity preparedness.  Regulated entities should take stock of this shifting risk management and compliance landscape, and evaluate the need for changes (and investments) to existing cybersecurity tools necessary for information collection, analysis and sharing.

READ MORE