In February, 2015, HLC’s “The Convergence of AML and Cybersecurity” post noted “customer activity that may be a possible basis for a Suspicious Activity Report (SARs) should also be viewed as a potential information security breach…similarly, a detected cybersecurity breach may be the first indicator of a financial crime.”
In October, 2016, Department of Treasury’s Financial Crimes Enforcement Network (FINCEN) published an advisory (the “October Advisory”) directing financial institutions to start reporting “cyber-enabled crime and cyber-events” through SARs, making the reporting of those connections mandatory. With regards to cyber-enabled crime, the October Advisory effectively restates the existing requirement. SAR statistics for the securities and futures industry for the first two months following its release don’t suggest any attributable change in reporting behavior. The significance of the “cyber-enabled crime” restatement for firms is its guidance on what cyber-crime related data must be included in the SAR. Of course, there is the broadening of the reporting requirement to include “cyber-events” which is the focus of this piece.
The inclusion of the “cyber-event” reporting requirement was largely without prior notice, which is notable as it includes events that do not directly impact financial transactions. While an e-mail compromise advisory issued in early September (the “September Advisory”) pushed out the interpretative edges of reportable e-mail compromise attempts, the industry was not given a deadline to work towards as they are accustomed to receiving from FINRA and SEC. In fact, even FINCEN’s own reporting structure has not adapted to the new requirement. Reporting financial institutions will generally need to report “cyber-events” under the “Other” sub-category for “Other Suspicious Activity.” This structure makes it hard to determine whether the uptick in the “Other” reporting activity during the first two months following the October Advisory is attributable to increased reporting of “cyber-events” or other factors, particularly since neither month represents a high-water mark for “Other” SAR reports.
Irrespective of the readiness of the securities and futures industry for this requirement, it is here. Registered Investment Advisors do not have SAR reporting obligations yet, although proposed rulemaking aims to change that.
What Is A Cyber-Event?
The October Advisory defines a cyber-event as “an attempt to gain unauthorized access to electronic systems, services, resources or information” and further, “if a financial institution knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions, it should be considered part of an attempt to conduct a suspicious transaction or series of transactions.” This is a broad construction of “attempt.” To ensure clarity, both the October Advisory and the related FAQs state that the reporting obligation extends regardless of whether the attempt was successful. Further, the monetary threshold for SARs is largely inapplicable as a limiting factor as financial institutions must consider in aggregate the funds “involved in or put at risk” by the cyber security event.
Reporting Scope and Implementation
At a SIFMA AML conference on February 8th and 9th, FINCEN confirmed that “pinging” was not considered a cyber-event, suggesting that untargeted attacks were not reportable. In the FAQ, this was referred to as scanning and probing of networks. While FINCEN did not clarify whether an untargeted phishing email (an email designed to trick the recipient into taking an unauthorized action, such as exposing data or systems) constitutes a probe or scan, the September Advisory suggests that FINCEN is focused on emails demonstrating evidence of social engineering (i.e., the sender researched its recipient to lend credibility to its email and its illegitimate purpose), such as information relating specifically to the recipient, the recipient’s business or the recipient’s personal and/or professional network, including relationships related to such network such as commercial customers, executives or suppliers. Both regulators and industry panelists at the conference, however, affirmed that financial institutions should broadly interpret what constitutes an “attempt to gain unauthorized access.”
The October Advisory and related FAQs also stated that firms are “required to file complete and accurate reports that incorporate all relevant information available” including “information that describes the technical details of electronic activity and behavior.” The FAQ’s break out five categories of information including source and destination information, file information, subject user names, system modifications and involved account information. Complying with this requirement will force firms to adopt new processes to collect and integrate such data into their SARs reports. The need for such specificity is ironic for a SAR report that is sub-classified as “Other” under an “Other” category.
Recognizing that the reporting process could be a burden to many firms, FINCEN does permit financial institutions that are subject to “large numbers of cyber-events” to report them through “a single cumulative SAR filing when such events are similar in nature” or “are believed to be related, connected or part of a larger scheme.” This effectively reduces the number of filings, but still requires one larger filing.
Readiness and Exposure
Based on preliminary data, it appears that the securities industry was not ready for this requirement. To date, a handful of large retail firms have dominated SAR reporting and perhaps are further along in their processes. With the new cyber-event reporting requirement, however, the rest of the securities industry will become a larger component of SAR filings over time. Along the path to getting there, firms (and possibly RIAs) that are not prepared or particularly focused on the new cyber-event SAR requirement will be cited and fined. As noted my recent “AML and Microcaps: New Challenges, New Solutions” post, last year the SEC published an enforcement against a broker solely in connection with their failure to file SARs. As part of its Examination Priorities for 2017, the SEC has indicated that they will “continue to assess broker-dealers’ compliance with SAR requirements and the timeliness and completeness of SARs filed.”
The SEC, however, is not the only regulator focused on SAR filings…FINCEN’s October Advisory (and SAR reporting requirements generally) will be enforced in different ways by a number of financial regulators (e.g. SEC, FINRA, OCC, CFTC, NFA). Further, cyber events are auditable from system log files and, like any reporting violation, intent does not need to be proven; violations are binary.
Firms need to identify whom in AML has cyber event reporting responsibility and ensure that they are receiving the requisite information to enable them to file SARs correctly. Moreover, firms need to ensure that SARs incorporate adequate descriptions and are filed on a timely basis. As for investment advisors, they get a pass…for now.
The scope and complexity of both cyber attacks and responses are going to increase. Thus, the regulatory exposure of financial firms due to gaps in their cyber-event reporting processes will also increase.
Despite the additional burdens, we need to be mindful that the purpose to this reporting is to use the data collected to protect financial firms and their customers from cyber-enabled crimes. In the words of an unnamed senior industry executive expressing the nonchalance that many have on cyber security beyond the need to meet regulatory requirements, “Oh yeah, there’s also that.” Perhaps we should just focus on making sure that the industry gets the new requirements...