When a firm experiences a cyber event or security intrusion, it is often a chaotic experience. Responders are focused on detecting the breach source, locking down their IT infrastructure, and understanding the extent of their losses. However, when responding to an incident, it is important for firms to not overlook their other required breach management activities.
Incident reporting mandated by regulatory or government agencies is a common requirement for businesses across a variety of industries. Failure to appropriately report detected incidents can result in fines to a business. With the security regulatory landscape rapidly changing, it is becoming more common to see agencies that did not previously have security incident reporting requirements adjust their policies. For this reason, firms must stay abreast of changes in regulation to avoid fines.
A recent reporting requirement passed by the Financial Crimes Enforcement Network (FinCEN) is an example of security regulatory change affecting broker dealers and financial institutions specifically. FinCEN is an Agency of United States Department of Treasury with a mission to “combat money laundering and promote national security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities.” To help combat Anti-Money Laundering (AML), FinCEN began requiring financial institutions to submit Suspicious Activity Reports (SARs) for activities or transactions that are confirmed malicious or appear questionable.
In FinCEN’s October 2016 Advisory, they broadened the reporting requirements to mandate that financial institutions must report “cyber-enabled crime and cyber-events” through SARs.
A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets. If a financial institution knows, suspects, or has reason to suspect that a cyber event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions.
FinCEN further advised that no actual transactions need to have occurred if the cyber-events and the systems and information targeted could “reasonably lead the financial institutions to suspect the events were intended to be part of an attempt to conduct, facilitate, or affect an unauthorized transaction or series of unauthorized transactions aggregating or involving at least $5,000 in funds or assets.”
The takeaway? Whether or not your firm is governed by FinCEN, corporate IT security and compliance teams across all industries should collectively and routinely revisit their incident response policies. Responding to a cyber incident is shared responsibility among many company departments. It is important that your firm’s specific breach notification requirements are well-documented and shared across business units to avoid penalties for incident response missteps.