A bevy of federal agencies recently have issued guidance, advisories and new potential regulations related to the growing threat of cybercrime—one of the most pressing challenges facing all players in the payments and financial services industry.
FinCEN on Oct. 25 issued an advisory to assist financial institutions in understanding their Bank Secrecy Act obligations regarding cybercrime, including filing Suspicious Activity Reports (SARs) and sharing information with other institutions—two areas FinCEN has identified as key to helping defend against cybercrime. SARs that include as much relevant information as possible—including IP addresses and time stamps—are a “valuable source of investigatory leads” in instances of cybercrime, the advisory said. FinCEN gives examples of instances in which an institution would be required to file an SAR when it detects a “cyber-event,” defined by FinCEN as “an attempt to compromise or gain unauthorized access to electronic systems, services, resources or information.” Along with the advisory, FinCEN issued a set of FAQs regarding reporting cyber-events via SARs, including what information to include in a report.
Meanwhile, the Federal Financial Institutions Examination Council—an intra-agency body comprised of the Fed Board of Governors, FDIC, OCC, CFPB and National Credit Union Administration—has issued FAQs related to the council’s Cybersecurity Assessment Tool. Released in 2015, the assessment tool is a voluntary process to help financial institutions measure their cybersecurity risks and their ability to respond to cybercrime. The FAQs were issued in response to “several requests to clarify” points in the original tool and supporting material.
Finally, the Fed, FDIC and OCC have approved an advanced notice of proposed rulemaking (ANPR) on a set of potential enhanced cybersecurity risk-management and resilience standards that would apply to large entities under those agencies’ supervision. Designed to “increase the operational resilience of these entities and reduce the impact on the financial system in case of a cyber-event experienced by one of these entities,” the proposed rules focus on five specific areas: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience and situational awareness.
Comments on the ANPR are due Jan. 17, 2017, and may be sent via the following methods:
- Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments.
- E-mail: email@example.com.
- Fax: (202) 452-3819 or (202) 452-3102.
- Mail: Robert Frierson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue NW., Washington, DC 20551.
- SEC Chair Tabs Cybercrime as Biggest Threat to Financial System
- Report: Cybercrime Costs to Quadruple by 2019
- Ethical Hacker Jamie Woodruff on New Cyber Security Threats
Image Credits: Shutterstock/Telnov Oleksii