Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs). This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.” It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.
Posts by: Daniel Streim
There has been no recent shortage of high-profile cyberattacks and data breaches leaving businesses with millions of dollars in losses. Verizon’s 2015 Data Breach Investigations Report counted 79,790 security incidents (including 2,122 confirmed data breaches) in the last year alone. If you’re a business that stores information electronically—that is, if you’re any business at all—you’re probably sufficiently worried about cyber threats just by reading the news. But if you haven’t fully appreciated the seriousness of the problem yet, the insurance industry is happy to help. As one insurer warns in its marketing materials, “many companies don’t realize that whether they experience a data security breach isn’t as much a matter of if it will happen as when.” Sufficiently terrified of cyber threats? Don’t worry—these same insurers will let you know they offer coverage that will help mitigate your risk. As one insurer puts it, “when a security breach happens, you’ll need comprehensive protection from an insurer that specializes in handling cyber risks, offers a full suite of integrated insurance solutions to help minimize gaps in coverage, and understands how to tailor coverage to your business.” READ MORE
When you, as a policyholder, give an insurance company notice of a claim, the insurance company often will send a “reservation of rights” letter—especially where there are complex liability claims—preserving its right to give you a coverage decision after it investigates the claim (that is, if it doesn’t accept or deny the claim outright). These letters usually include lengthy lists of coverage defenses the insurance company reserves the right to assert and questions that it wants you to answer. Many policyholders are naturally overwhelmed by the questions and have no idea how to respond. But respond you must. And how you respond has the potential to make or break your claim. Luckily, common sense and some simple rules are usually enough to make sure your claim survives this early hurdle.
The insurance company’s questions often pose three problems. First, they may seek information solely to enable the insurance company to deny coverage, often on grounds that the notice was late. Questions such as “When did you know that there was a problem” seek to gain information to enable the insurance company to deny coverage on the basis that you failed to notify them timely of the problem. But you must remember that you are under no obligation to give the insurance company information that it can use to defeat coverage. You should provide information adequate to describe the nature of the claim, but it is the insurance company’s obligation to figure out how to defeat coverage. READ MORE