In October, 2016, the Financial Crimes Enforcement Network (FinCEN) published an advisory regarding financial institutions’ obligations related to cyber crime. The key takeaway from the advisory is that suspicious activity reports (SARs) should be filed for cyber events, even when they do not result in a financial transaction. The advisory is not intended to establish new requirements, but rather to encourage financial institutions to consider their Bank Secrecy Act (BSA) obligations across a wider range of circumstances.
Cyber SAR Examples
The advisory is quite broad in its implications, but FinCEN did provide three examples of a cyber event that should be reported as a SAR:
1. A malware intrusion that gives attackers access to a bank’s systems. If it is suspected that the stolen data will be used to make unauthorized transactions. The event is calculated to put $500,000 in customer funds at risk, though no transactions are known to have occurred.
2. A cyber event that results in exposed confidential customer information that could be used to conduct fraudulent transactions. The intended goal of the attackers is estimated to be at least $5,000 in transactions.
3. A dedicated denial of service (DDoS) attack that is used to conceal an unauthorized $2,000 wire transfer.
These examples demonstrate the principles of the advisory, such as that theft of money does not have to be the direct goal of the attack to require a SAR. Access to information might be the target, which could conceivably be used in the future to conduct fraudulent transactions. Or, as in the third example, one cyber event might be intended to distract from, or make way for, a separate attack.
What to Report
The report recommends that financial institutions file SARs for all cyber events, even when not explicitly required. This additional information regarding cyber events is considered useful to law enforcement. Additionally, FinCEN considers cyber information (when available) as part of the relevant information that must be included with all SARs, even when the activity is not directly cyber-related. In an FAQ document, they give the example of including the IP addresses associated with a fraudulent wire transfer.
In the same FAQs, FinCEN specifies that financial institutions are not required to report on continuous scanning or probing of their networks and systems. SARs related to cyber events should include the following information, when available:
- Description and magnitude of the event
- Known or suspected time, location, and characteristics or signatures of the event
- Device identifiers
- Methodologies used
- Other information the institution believes is relevant
- IP address and port information with respective date timestamps in UTC
- Uniform resource locator (URL) addresses
- Attack vectors
- Command-and-control nodes
- Subject user names
- E-mail addresses
- Social media account/screen names
- System modifications
- Registry modifications
- Indicators of compromise (IOCs)
- Common vulnerabilities and exposures (CVEs)
- Involved account information:
- Affected account information
How D3 Can Help
Whether a financial institution conducts SAR reporting at the branch level, or centrally compiles reports for bulk submission, D3 is designed to make the process fast and easy. An incident report in D3 can be turned into a SAR form with a single click and delivered to FinCEN, all within the platform. D3 can also do batch uploads of collected reports, track filed reports, and attach acknowledgment reports from FinCEN to the record of the filing. For cyber information, we have a preconfigured Cyber SAR template, based on the template provided by FinCEN.
Book a demo and see for yourself why so many financial institutions use D3 to manage SAR reporting, orchestrate incident response, connect with security technologies, and apply data-driven decisions across an enterprise-wide vision of cyber security and risk management.