Banks must report even failed hacking attempts



Written by

U.S. banks have to promptly report any online theft, fraud or hacking attempts involving more than $5,000, even if they failed, under new guidance from the Treasury Department’s money-laundering and financial crimes enforcement office FinCEN.

“A financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets,” states the guidance, issued this week. The banks should use the Suspicious Activity Reporting channels, or SAR, established under the 1970 Bank Secrecy Act, FinCEN states.

Examples of the kind of cyber events that must be reported include “unauthorized electronic intrusion,” “account takeover” and “malware intrusion,” but not “continuous probing or scanning,” according to an FAQ issued the same day.

When they file their SAR, banks should include “all relevant and available information regarding the suspicious transactions and the cyber-event — including the type, magnitude, and methodology of the cyberevent as well as signatures and facts on a network or system that indicate a cyberevent,” according to the FAQ.

The kinds of information required include:

  • IP address and port information with respective date timestamps
  • Uniform Resource Locator (URL) addresses
  • Attack vectors
  • Command-and-control nodes
  • Suspected malware filenames
  • Email addresses
  • Social media account/screen names

“Cyberevents targeting financial institutions that could affect a transaction or series of transactions would be reportable as suspicious transactions because they are unauthorized, relevant to a possible violation of law or regulation, and regularly involve efforts to acquire funds through illegal activities,” the advisory states.

SARs are kept secret and disclosing their contents is a federal crime. The banks that file them enjoy wide-ranging immunity from any legal consequences.

The guidance is the latest additional cybersecurity measure recently imposed on banks. Others include the Office of the Comptroller of the Currency requirement that national banks file SARs to report unauthorized electronic intrusions; and guidance from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation and the National Credit Union Administration requiring the filing of SARs to report certain computer-related crimes.