Brandi B. Reynolds, CAMS-Audit, CCI
This is Part 3 of a three-part series of article about tackling SAR weaknesses. The focus of this article will be the process of filing Cyber SARs. This article will consider the topic broadly, meaning cyber fraud events, hacking attempts, ransomware attacks, and other computer-related crime.
Cyber SARs are different because so much information is invisible, or at least hidden. The actors rarely present themselves, many times they are a continent away from the victim institution. The currency most often involved is electronic, rarely tangible. Sometimes the suspicious transaction follows an evolutionary path rather than being a single event. As a result, the filing standard for a Cyber SAR differs from other SARs. The overarching message of this article is “When in doubt, file. When lacking information, file what you have.”
Guidance on Filing from FinCEN
FinCEN addressed the topic of cyber-related SARs in 2016 in FinCEN guidance FIN-2016-A005 (click for link).
In this guidance FinCEN introduced the topic of “Mandatory SAR Reporting of Cyber Events”. FinCEN included a set of frequently asked questions (FAQs) about Cyber SARs (click for link).
Pay extra attention to FAQs #4 and #5 regarding nuances of filing Cyber SARs. FAQ #4 introduces the concept of a Cumulative SAR for reporting multiple cyber-related incidents of the same type, instead of reporting them separately. Note, however, that cumulative reporting can only be used for cyber-related incidents. In FAQ #5 we learn that an institution need not file on every probe or scan on the institution’s network, as that would be too burdensome. However, when filing a cyber-related SAR for a reportable event, and the number or nature of probes and scans is pertinent, definitely include that information in the SAR.
FinCEN resurrected the topic of cyber-related SARs in July 2020 with FIN-2020-A005 because cybercrime proliferated during the pandemic (click for link).
The Content Necessary for a Cyber Crime SAR
As with other SARs, a Cyber SAR should have the elements of a journalism article – who, what, where, when, why and how. FinCEN provides the special requirements necessary for some of those elements in its 2020 guidance.
FIN-2020-A005 provides the “What”: “If a financial institution knows, suspects, or has reason to suspect that a cyber event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions.”
FIN-2020-A005 also provides the “Why”: “Cyber-events targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities.”
Shortly thereafter, FinCEN published more focused guidance on reporting ransomware attacks on banks and on bank customers with FIN-2020-A006. What’s important to note in all of the guidance between 2018 and 2020 is that reporting is required even for cyber events that were unsuccessful, meaning even an attempted cyber event is reportable.
The BSA Department in a financial institution must understand that these events require SAR filing, but other departments privy to such events, such as the fraud department and the information security department, might not understand all of the requirements of cyber-event SAR filing. When they are dealing with an event, they’re likely not thinking “the institution needs to file a SAR on this.” Therefore, the underlying issue in filing Cyber-Related SARs is how the information will be provided to the BSA Department. As a result, the BSA Department should partner with the Fraud and Information Security departments so that it may receive the following information on cyber-related events:
- IP address and port information with respective date timestamps Coordinated Universal Time (UTC);
- Uniform Resource Locator (URL) addresses;
- Attack vectors;
- Command-and-control nodes;
- Suspected malware filenames;
- MD5, SHA-1, or SHA-256 hash information (cryptographic algorithms);
- E-mail content;
- Social Media Names and Screen Names (handles, etc.) (The BSA department should also do a complete analysis of the suspects’ online profiles as well as a negative news scan);
- Registry Modification Indicators;
- Any other Indicators of Compromise;
- Mobile device information (such as device IMEI)
- And for cyber-related events involving virtual currency:
- virtual currency wallet addresses;
- information about the exchanges;
- transaction details (including virtual currency transaction hash); and
- information on the originator and the recipient).
The information above is in addition to the regular information about names and accounts that you will include in other SARs.
Writing the Cyber SAR
Our experience is that Information Security professionals are very talented at writing a narrative on how the cyber-event took place. They have to write this documentation to satisfy information security safety and soundness requirements for their IT exams and audits. Ask your Information Security professionals for this documentation as it will help you write the SAR.
Do any of the FinCEN bulletins suggest that BSA professionals have to become Information Security professionals? No. However, the BSA professionals who are tasked with writing and filing Cyber SARs should become conversant in the terms and technology, such that they can ask the right questions of the institution’s Fraud and Information Security staff. Many BSA/AML organizations, vendors, audit and consulting firms offer webinars in this area. Audit and consulting firms may list these webinars under “IT” so be creative in sourcing these webinars. In large BSA departments, at least one person should be a “convergence” professional. That is, a professional who is well-versed in Fraud Operations, Fraud Risk Management, Information Security, AML, and OFAC.
Helpful hint #1: For those writing the SARs, remember to reference the FinCEN advisory number in SAR Field #2 and in the narrative.
Helpful hint #2: If your SAR-filing software doesn’t allow you to somehow tag the SAR as a Cyber-related SAR, then keep a log of these elsewhere. When an auditor or examiner requests all of your Cyber-related SARs for the prior 12 months, that’s not the time to scroll through every SAR you filed to try to determine which were Cyber-related.
For more information on how CorCom can assist with your compliance needs, please contact firstname.lastname@example.org.