Last week, FinCEN (Financial Crimes Enforcement Network) issued a formal Advisory to Financial Institutions and published FAQs outlining specific cybersecurity events that should be reported through Suspicious Activity Reports (SARs). This Advisory follows former FinCEN Director Jennifer Shasky Calvery’s recent statements reminding “financial institutions to include cyber-derived information (such as IP addresses or bitcoin wallet addresses) in suspicious activity reports.” It also follows the launch of the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT). Although the Advisory does not change existing Bank Secrecy Act (BSA) requirements or other regulatory obligations, the Advisory highlights a series of cybersecurity events–such as Distributed Denial of Service (DDoS) attacks and ransomware incidents–that should be reported on SARs filed with FinCEN, even though they often (but not always) fall outside the traditional notion of a data breach or a compromise of personal information.
Jonathan has specialized expertise in white collar matters with extensive experience in Bank Secrecy Act, FCPA, and financial fraud investigations. Jonathan is regularly called upon to lead representations in high profile and high stakes settings and has the rare distinction of successfully first chairing both an Enron case and an FCPA case at trial.
Jonathan comes to Orrick after having spent over 11 years at the Department of Justice serving in a number of capacities including as an inaugural Deputy Chief of DOJ's Money Laundering & Bank Integrity Unit, a Senior Trial Attorney in DOJ's Criminal Fraud Section, an attorney adviser in the Office of Legislative Affairs and as an Assistant United States Attorney in Miami, Florida.
Jonathan has a deep understanding of how the Department of Justice operates internally and externally, in particular with other federal agencies such as the SEC, Treasury/FinCEN and the State Department, as well as with state and international law enforcement.
As a result of
Jonathan’s wide range of government and private practice experience, Jonathan
brings a unique and well-rounded perspective with which to assist clients. He is regularly asked to speak at national
conferences on anti-corruption, anti-money laundering, personal liability, and
responding to DOJ investigations.
Jonathan graduated from Georgetown University Law Center and received his undergraduate degree from UCLA. Jonathan is currently an adjunct professor at Georgetown University Law Center where he teaches a class on Federal Criminal Trial Strategy.
Posts by: Jonathan Lopez
As new legislation aimed at facilitating greater cybersecurity information sharing between private industry and government takes effect (i.e., Cybersecurity Information Sharing Act), FinCEN Director Jennifer Shasky Calvery recently called for “financial institutions to include cyber-derived information (such as IP addresses on bitcoin wallet addresses) in suspicious activity reports.” Director Shasky Calvery’s statement dovetails with the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool (CAT) launched last year that we discussed previously, which lists “threat intelligence and collaboration” through information-sharing forums as one of five key “domains” for assessing cybersecurity preparedness. Regulated entities should take stock of this shifting risk management and compliance landscape, and evaluate the need for changes (and investments) to existing cybersecurity tools necessary for information collection, analysis and sharing.