Cyber incident reporting overview
Financial institutions play a big role in protecting the national financial system from cyber threats. Sharing cyber incident information between state and local law enforcement agencies and the federal government is critical to mitigating national cyber risks. A prompt response to report a cyber incident can prevent the damage of the attack.
The Division of Banks (DOB) encourages its regulated entities to report cyber incidents. A cyber incident is any attempt to compromise or gain electronic access without permission to electronic systems, services, resources, or information.
Resources for cyber incident reporting:
- Report to your primary regulator
- Report to the Financial Crimes Enforcement Network (FinCEN)
- Report to Government entities
Reporting cyber crimes to your primary regulator
You should immediately notify your primary regulator after becoming aware of a cyber incident. The cyber incident may involve unauthorized access and/or use of confidential consumer information. In the case of a cyber incident, you should be familiar with FinCEN's Suspicious Activity Report (SAR) filing requirements. You should also report any incident of unauthorized access to or use of sensitive customer information to your federal regulator.
Massachusetts General Laws chapter 93H requires you to provide notice to the Massachusetts Attorney General and the Office of Consumer Affairs and Business Regulation if there is a security breach. This notice is also necessary if the use or theft of a Massachusetts resident’s personal information occurs. The affected resident must also receive the notice.
Report to FinCEN
FinCEN and law enforcement use financial institution SAR filings to start investigations. SAR filings are also used to identify criminals and disrupt criminal networks.
FinCEN issued an advisory on cyber crime reporting.
Mandatory SAR filing
SAR filing is mandatory for most financial institutions if you suspect a suspicious transaction was completed or attempted. Other SAR filing requirements include one or more transactions involving $5,000 or more in funds or other assets. Suspicious or high dollar amount transactions may involve acquiring funds through illegal activities.
When determining whether a cyber incident should be reported, you should consider:
- All information surrounding the cyber incident
- The nature of the incident
- Information accessed
- System(s) targeted
- Aggregate funds and assets involved or put at risk by the incident
Even if a cyber incident does not meet SAR filing requirements, your financial institution is encouraged to voluntarily file a SAR. Such information is valuable in law enforcement investigations.
Report to government entities
The DOB encourages your financial institution to voluntarily report suspected or confirmed cyber incidents to a federal government organization. Relevant government organizations include the Department of Homeland Security and the Department of Justice. The federal government accepts reports in person, via e-mail, phone, or online tools. Reports made to government agencies are shared with relevant stakeholders to help lessen the consequences of the cyber incident. Report sharing also helps to evaluate the impact of the incident, and investigate any criminal violations.
The additional resources below tell you where and how to report to government entities.
- Quick guide to law enforcement cyber incident reporting
- United States Computer Readiness Team (US-CERT) report incidents, phishing, malware, or vulnerabilities
- National Cybersecurity and Communications Integration Center (NCCIC)
- Commonwealth of Massachusetts Fusion Center
- Locate a United States Electronic Crimes Task Force
- Locate Federal Bureau of Investigation (FBI) Cyber Task Forces
- Immigration and Customs Enforcement Homeland Security Investigations (ICE HIS) Cyber Crimes Center
- FFIEC Cybersecurity & Resilience Against Cyber Attacks brochure
- US-CERT Federal Incident Notification Guidelines