Nov. 12: Cybersecurity, cyberattacks, malware infections, the BSA – what if you don’t report cyber incidents?

Let’s start Saturday with some news from overseas. UK bank Tesco Bank confirmed 40,000 accounts were subjected to online criminal activity, as hackers seemingly broke into the bank’s online banking system and stole money from many of those accounts. In other security matters, Spanish bank BBVA has launched a feature that will allow customers to pay by selfie using a mobile device.


Can you believe that financial institutions “have become increasingly dependent on technology to facilitate financial transactions?” Is this breaking news? The feds have proposed tougher cybersecurity regulations for big banks and related entities. The announcement comes on the heels of a like-minded proposal by New York state regulators for banks and insurers.


Regulators have revealed their plans for cybersecurity standards for the financial industry, and they cover a broader range of companies than expected. A SIFMA spokesperson says the group needs time to study the proposed standards.


The Treasury Department’s Financial Crimes Enforcement Network has told banks to provide more details about cyberattacks when filing fraud and money-laundering reports. “Financial institutions can play an important role in safeguarding customers and the financial system from these threats through timely and thorough reporting of cyber-events and cyber-related information in [suspicious-activity reports],” according to FinCEN’s advisory.


Who is encouraging non-depository lenders and smaller banks working together and/or reporting cyber incidents? Eight of the biggest banks have joined forces to try and determine ways to ward off cybercrime. This rising threat to banks requires bolder action because it impacts the entire industry and because the government’s own efforts are moving too slowly. Fortunately for community banks, any headway the group makes will help the industry, so maybe lenders and smaller banks may reap the benefits without having to take on the expense of such an effort.


The new group will operate as a part of the Financial Services Information Sharing and Analysis Center (FS-ISAC) created in 1999. It is designed to help the private financial sector and the government to work together to protect the operations of the economy and the government. That directive, which was updated in 2003, requires an exchange of information about both physical and cyber security threats or areas of weakness to protect critical US infrastructure.


Steve Brown with PCBB writes that, “The goal of the new group, however, is to foster greater sharing and collaboration than what has occurred through the FS-ISAC to date. In particular, the group hopes to exchange more detailed information on threats recognized by the institutions within it and to work together to establish protocols to follow whenever cyberattacks take place. They are even planning to hold war games to replicate some of the biggest threats.”


Per a report by the global security risk monitoring company SecurityScorecard, large financial institutions have suffered 22 major data breaches over the past 12 months (this only includes those that have been made public – and mortgage companies are notorious for not making public cyberattacks). The report also finds 75% of the largest 20 US banks are infected with malware. Though the federal Cybersecurity Information Sharing Act mandated the sharing of Internet traffic information between the government and technology and manufacturing companies, the largest financial institutions have expressed concerns. They see the law as another slow-moving layer of bureaucracy, so they are taking action themselves.


Specific concerns around information sharing include questions about whether the government can adequately secure the information banks are sending over, along with fears that passing on threat information could lead to shareholder lawsuits. Given the unfortunate reality that there is no such thing as a cyber superhero, it is not surprising the industry has decided to address these issues directly. In the meantime, stay diligent and monitor your systems for kryptonite to protect your data.


Will the new administration give cybersecurity its due? Jeremy Potter writes, “Politics, fundamentally, is about the allocation of limited resources.  This is true of energy as well as money. One example is a Trump Justice Department (no, that’s not an oxymoron) where the Attorney General (Rudy?) can shift the resources to terrorism type cases instead of banking type cases. There are myriad examples of this.  One that concerns me the most is an inexperienced or decreasing focus on cybersecurity.  Not only because Trump has discounted the success/reality of these types of hacks but also because Trump’s inner circle has shown no propensity for the thoroughness or expertise required.  Perhaps that could change with influence from Silicon Valley (see, Peter Thiel).”


K&L Gates offered its take on the Financial Crimes Enforcement Network (“FinCEN”) issuing an advisory (the “Advisory”) explaining the obligations a “financial institution” might have under the Bank Secrecy Act (“BSA”) regarding “cyber-events and cyber-enabled crime.” The Advisory states that even if an actual financial transaction did not take place as result of a cyber-event, a financial institution may still be required to file a Suspicious Activity Report (“SAR”) in certain circumstances.  Because of this, a covered financial institution should reconsider its obligations under the BSA after a cyber-event.


“SARs provided to FinCEN are confidential and not discoverable in civil litigation. FinCEN, a bureau within the Treasury Department, is tasked with enforcing the BSA. While advisories, like the one FinCEN issued on October 25, 2016, do not have the force of law, they represent FinCEN’s current interpretation of the law on which FinCEN can be expected to rely in investigations. Failure to comply with BSA requirements can have costly consequences.


“The Advisory states that a ‘financial institution is required to report a suspicious transaction conducted or attempted by, at, or through the institution that involves or aggregates to $5,000 or more in funds or other assets.’ It explains that when a financial institution knows or reasonably suspects that a cyber-event was intended to facilitate a transaction, it should be considered ‘part of an attempt to conduct a suspicious transaction.’ This means that even if the cyber-event was unsuccessful (i.e., no money was actually transferred or no other assets were stolen), it could still be enough to warrant a SAR filing.


“FinCEN provided an example to demonstrate this point: Through a malware intrusion (a type of cyber-event), cybercriminals gain access to a bank’s systems and information. Following its detection, the bank determines the cyber-event put $500,000 of customer funds at risk, based on the systems and/or information targeted by the cyber-event. Accordingly, the bank reasonably suspects the intrusion was in part intended to enable the perpetrators to conduct unauthorized transactions using customers’ funds. FinCEN states that under these circumstances, the financial institution must file a SAR, even though no actual transaction may have occurred.

“Under this broad mandate, financial institutions should consider the possibility of filing a SAR after any cyber-event, even if the primary objective of the cyber-event does not appear to be theft of money. FinCEN points out that account numbers, scores, passwords, and PINs all have value and count towards the $5,000 threshold because the stolen information could lead to later unauthorized transactions. Even attacks like a Distributed Denial of Service (‘DDoS’) could lead to a SAR filing. A DDoS occurs when a cybercriminal interrupts a company’s web services by flooding the company’s server with requests. Sometimes the intentions of a cybercriminal using a DDoS attack are difficult to discern. Cybercriminals may initiate DDoS attacks for extortion, hacktivism, or simply to cause mischief. FinCEN points out that DDoS attacks can be used as a smokescreen for other less obvious attacks that could put more than $5,000 at risk. In those cases, according to FinCEN, a SAR should be filed.


“FinCEN requires that a financial institution ‘file complete and accurate reports that incorporate all relevant information available, including cyber-related information.’ It specifically requests that financial institutions include IP addresses with timestamps, virtual-wallet information, and device identifiers. Some financial institutions may not have access to the sophisticated technology required to collect this cyber-event information. If they do, FinCEN requires that this information, along with any other information, such as fraudulent transfers related to the cyber-event, be reported in the SAR.


“In the Advisory, FinCEN requests the various departments tasked with security within a financial institution to collaborate and develop a comprehensive approach to security. FinCEN states that information provided by ‘cybersecurity units could reveal additional patterns of suspicious behavior and identify suspects not previously known to BSA/AML units’ and could lead to a better understanding of the risk exposure in the wake of a cyber-event. FinCEN encourages, but does not require, the sharing of information among financial institutions as a way to gain a more accurate picture of possible threats. Further, it does not mandate that financial institutions share information by any particular method. If a financial institution is interested in this approach, there are third-party originations that can facilitate information and collaboration, such as the National Cyber-Forensics & Training Alliance (NCFTA). The NCFTA is a nonprofit entity that defends against cyber-based threats by bringing public, private, and academic sectors together in one space to share information and resources as a united front against cyber threats.” Thank you K&L Gates!


Education continues. This week The Mortgage Collaborative is offering a webinar to its members titled, “The Wild West of Cyber Liability Insurance.” BuckleySandler, for example, hosted a FinCrimes webinar last week. “Please join BuckleySandler for a discussion of cybersecurity and data risk, and its convergence with AML, conducted as part of our ongoing FinCrimes webinar series. The webinar will include a three-person panel comprised of James Shreve from BuckleySandler, Rich Nolan from Citi, and Tom Pageler from Neustar.”


Switching briefly to lending, “Prospect Mortgage thanks our Veterans! Join us as we ‘Walk for Our Troops’ to honor all Veterans and raise funds for Homes for Our Troops. To join our walk on Veterans Day weekend, click here. If you cannot participate, consider donating to this great organization: Also, on November 17, Prospect will be hosting a free, educational webinar How Dec. Can Make or Break Your Summer Selling Season’ with top Agent Mark Moskowitz and sales expert Todd Duncan. Register to learn how to beat the holiday haze!”



A doctor, a civil engineer and a programmer are discussing whose profession is the oldest. “Surely medicine is the oldest profession,” says the doctor. “God took a rib from Adam and created Eve and if this isn’t medicine I’ll be…” The civil engineer breaks in: “But before that He created the heavens and the earth from chaos. Now that’s civil engineering to me.” The programmer thinks a bit and then says: “And who do you think created chaos?”






(Copyright 2016 Chrisman LLC. All rights reserved. Occasional paid job listings do appear. This report or any portion hereof may not be reprinted, sold or redistributed without the written consent of Rob Chrisman.)


Rob Chrisman