The Treasury Department’s Financial Crimes Enforcement Network(FinCEN) recently issued an advisory to financial institutions oncyber-events and cyber-enabled crime, as well asFrequently-Asked-Questions guidance regarding the reporting ofcyber-events, cyber-enabled crime and cyber-related informationthrough Suspicious Activity Reports.

FinCEN said the lateOctober guidance is designed to assist financialinstitutions in understanding their Bank Secrecy Act obligationsregarding cyber-events and cyber-enabled crime, and also highlightshow BSA reporting helps U.S. authorities combat cyber-events andcyber-enabled crime.

The alert is designed to help financial institutions with thefollowing:

• Reporting cyber-enabled crime and cyber-events throughSuspicious Activity Reports (SARs);

• Including relevant and available cyber-related information(e.g., Internet Protocol (IP) addresses with timestamps,virtual-wallet information, device identifiers) in SARs;

• Collaborating between BSA/Anti-Money Laundering (AML) units andin-house cybersecurity units to identify suspicious activity;and

• Sharing information, including cyber-related information, amongfinancial institutions to guard against and report moneylaundering, terrorism financing, and cyber-enabled crime.

The alert also defines three types of cyber-relatedincidents:

• Cyber-Event: An attempt tocompromise or gain unauthorized electronic access to electronicsystems, services, resources, or information.

• Cyber-Enabled Crime: Illegalactivities (e.g., fraud, money laundering, identity theft) carriedout or facilitated by electronic systems and devices, such asnetworks and computers.

• Cyber-RelatedInformation: Information that describestechnical details of electronic activity and behavior, such as IPaddresses, timestamps, and Indicators of Compromise (IOCs).Cyber-related information also includes, but is not limited to,data regarding the digital footprint of individuals and theirbehavior.

FinCEN and law enforcement regularly use information financialinstitutions report under the BSA to initiate investigations,identify criminals, and disrupt and dismantle criminal networks,the alert states.

FinCEN also points out that the advisory “does not changeexisting BSA requirements or other regulatory obligations forfinancial institutions,” and that financial institutions “shouldcontinue to follow federal and state requirements and guidance oncyber-related reporting and compliance obligations.”

Further, financial institutions should also note that filing aSAR does not relieve financial institutions from any otherapplicable requirements to timely notify appropriate regulatoryagencies of events concerning critical systems and information orof disruptions in their ability to operate, the report states.

The recently enacted Cybersecurity Act of 2015, also known asthe Cybersecurity Information Sharing Act (CISA), does not changeany SAR-reporting requirements under the BSA, SAR confidentialityrules, or the safe harbor protections under section 314 of the USAPATRIOT Act, the advisory notes.

The FAQs guidance also provides some examples of when SARreporting of cyber-events is manadatory, such as a malwareintrusion.