BLOG

Question: When should a cyber event result in a suspicious activity report (SAR) filing?

Answer:

FinCEN defines a cyber-event as “an attempt to compromise or gain unauthorized electronic access to electronic systems, services, resources, or information” and requires financial institutions and mortgage companies to report any suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. This would include cyber-events that a financial institution knows, suspects, or has reason to suspect was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions. This is because these types of events are (i) unauthorized, (ii) relevant to a possible violation of law or regulation, and (iii) regularly involve efforts to acquire funds through illegal activities. In determining monetary amounts involved in the transactions or attempted transactions, a financial institution should consider in aggregate the funds and assets involved in or put at risk by the cyber-event. Further, whether to file a SAR involving a cyber-event or attempted cyber-event is not based on the success of the attempt.

FinCEN also encourages, but does not require, financial institutions to report egregious, significant, or damaging cyber-events when such events and crime do not otherwise require the filing of a SAR.

An example of a cyber-event that may require a SAR filing is a malware intrusion where a cybercriminal gains access to a lender’s systems/network or information and performs unauthorized transactions or exposes sensitive customer information, such as account balances or social security numbers. However, FinCEN advised in its Frequently Asked Questions (FAQs) regarding the Reporting of Cyber-Events, Cyber-Enabled Crime, and Cyber-Related Information through Suspicious Activity Reports (SARs) that filing a SAR to report continuous scanning or probing of a financial institution’s systems or network is impractical and not required. For more information see FinCEN’s Advisory, FIN-2016-A005.