Bank Secrecy Act (BSA) compliance is now an integral part of a financial institution’s cybersecurity strategy, Jim Vilker, vice president of CU Answers, said Tuesday at the CUNA/National Association of State Credit Union Supervisors BSA Conference. Vilker explained that this all changed with an October 2016 bulletin from the Financial Crimes Enforcement Network (FinCEN) advisory that stated cyber crime and BSA policies should be shared with cybersecurity, compliance and BSA and anti-money laundering teams, among others.

“Cybersecurity is intersecting in a new way with BSA/AML compliance, and it’s becoming increasingly important that BSA/AML officers are aware of the kinds of cyberthreats out there,” Vilker said. “There used to be a lot of silos out there, where compliance, risk management, network security, all of those were separate parts, but today’s cybersecurity environment means all those departments need to be interconnected in a new way.

It is recommended BSA professionals be familiar with other regulatory requirements. A “cyber event” is defined as an attempt to compromise or gain unauthorized electronic access to electronic systems, resources, services, or information.

The timeline of a cyber event is:

• Detection: an administrator or employee detects suspicious activity on a system or network;
   
• Verification: the employee verifies an incident occurrence is likely;
   
• Notification: an incident response team (IRT) team is notified of a possible incident via a security incident report form;
   
• Assessment: IRT conducts its investigation of event and determines the scope;
   
• Response: IRT takes appropriate steps to mitigate the breach, stop the attack and gather/preserve forensic data;
   
• Alert: IRT alerts staff, clients and regulators as appropriate;
   
• Remediation: corrective action is taken and validated; an
   
• Resumption of production activities.

The FinCEN bulletin outlines what information should be included if a financial institution files a suspicious activity report (SAR), including IP addresses, websites, email addresses and attack vectors (e.g. malware, hacking, identity theft),

“This is definitely not your mom’s SAR. There’s a lot of specific information you want to have in this area that is very specific to IT,” said Marsha Sapino, and AuditLink assistant manager at CU Answers. “So you definitely need to contact that department and get as much information as possible because this is what FinCEN is asking for, they need this information.”

Credit unions should have cyber incident plans in place in the event such a thing happens, plans that include:

• An overview of the corporate approach to data breaches or network intrusions;
   
• The scope of the plan that outlines individuals and teams, as well as a list of assigned responsibilities;
   
• Impact analysis on the types of personally identifiable information that may have been exposed to determine the severity of the event and prioritization of notifications;
   
• A notification process for management, members, boards, regulators and other authorities; and
   
• A breakdown of who has the authority to act and what decisions can be made based on the severity of impact.