A recent enforcement action by the U.S. Securities and Exchange Commission (SEC) serves as a reminder that cybersecurity events can be a triggering event for filing Suspicious Activity Reports (SARs) under the US PATRIOT Act of 2001. On May 12, 2021, the SEC settled charges against GWFS Equities, Inc. (GWFS) for failure to file SARs following efforts by bad actors to gain access to customer accounts, and ordered the firm to pay a $1,500,000 penalty. This enforcement action is the first of its kind, and should serve as a reminder to financial institutions subject to SARs filing requirements to promptly evaluate their reporting obligations following cyber incidents. This includes conducting ongoing personnel training concerning SAR-related policies, maintaining policies and procedures to report cybersecurity incidents to AML departments for compliance assessment, and ensuring that firms file complete SARs within thirty days of the incident when required.
The SAR Requirement
SARs are a tool to report known or suspected violations of law or suspicious activity observed by financial institutions to the Financial Crimes Enforcement Network (FinCEN). The financial institutions subject to these obligations include banks, bank holding companies, casinos and card clubs, money services businesses, broker-dealers, mutual funds, insurance companies, futures commission merchants and introducing brokers in commodities, and residential mortgage lenders and originators.
FinCEN regulations, as authorized under the Bank Secrecy Act (BSA), require financial institutions to file a SAR if: (a) a suspicious transaction is conducted or attempted by, at, or through the institution; (b) the transaction involves or aggregates to $5,000 or more in funds or other assets; and (c) the financial institution knows, suspects, or has reason to suspect that the transaction, among other things, involves illegal activity or has no apparent business or lawful purpose. A SAR should be filed no later than 30 calendar days after the suspicious activity has been detected. The SAR narrative should identify the five essential elements of information – who? what? when? where? and why? – of the suspicious activity being reported.
In 2016, FinCEN published an advisory that mandated SAR reporting for cyber events where the financial institution “knows, suspects, or has reason to suspect that a cyber-event was intended, in whole or in part, to conduct, facilitate, or affect a transaction or a series of transactions…” Importantly, a financial institution may be required to file a SAR even where a cyber-event is considered unsuccessful. This is a critical point, and underscores that legal reporting analysis must occur even for cybersecurity attacks that were thwarted, and indeed may be worthy of express mention in a financial institution’s incident response plan. In general, a financial institution should include in a SAR “all relevant and available information” regarding a cyber event.
Failure to file for two categories of financial institutions – broker-dealers and mutual funds – can also result in securities law violations. In a recent decision, United States Sec. & Exch. Comm’n v. Alpine Sec. Corp., 982 F.3d 68 (2d Cir. 2020), the Second Circuit validated the SEC’s focus on broker-dealer anti-money laundering (AML) programs by holding that the SEC has authority under Section 17(a) and Rule 17a-8 of the Securities Exchange Act to require SEC-registered broker-dealers to comply with BSA’s reporting requirements.
Regulatory Focus on AML Obligations after Cybersecurity Incidents
The SEC has increased its focus on cybersecurity risks. Notably, the Commission’s Division of Examinations (EXAMS) released a Risk Alert on March 29, 2021 to the broker-dealer and mutual fund industry, reminding them of their obligations to comply with AML requirements under the BSA, and in particular emphasizing their obligations to monitor and report suspicious activity. The Risk Alert highlighted deficiencies observed by the EXAMS staff in firms’ establishment of procedures and internal controls for identifying and responding to suspicious activities, including the failure to file SARs. The Risk Alert aligns with the EXAM’s 2021 priorities highlighting broker-dealers’ compliance with AML requirements, including their obligations to monitor, detect and report suspicious activity.
Other regulators have similarly focused on cybersecurity. The Financial Industry Regulatory Authority (FINRA) also published a report of its 2021 priorities that emphasized broker-dealers’ AML obligations. The observations listed in the report included firms’ failure to require staff to notify AML departments or file SARs for a range of events, including cybersecurity events.
The SEC’s increased focus on cybersecurity was highlighted last month when the SEC’s Division of Enforcement it issued voluntary document requests to troves of companies that were presumably impacted by last year’s cyberattack of SolarWinds. SolarWinds is a network management software maker that experienced a high-profile data breach that was publicized in December 2020. The SEC sent voluntary document requests to many SolarWinds clients, which included public companies and asset managers, asking them to voluntarily disclose whether (i) they installed compromised versions of the SolarWinds software, (ii) any unauthorized activity related to the cyberattack took place on their systems or networks, and (iii) they took remedial measures or actions to address the compromise. Surprisingly, the requests also asked responding companies to report any other unauthorized access to the firm’s systems, computer network or data storage facility. Although the SEC’s endgame concerning this probe is still unclear, the breadth of the requests and the number of companies involved signals that corporate cybersecurity is a high priority for the SEC’s Division of Enforcement.
GWFS Enforcement Action
Regulators haven’t stopped at SARs-related guidance – they’ve implemented their warnings through enforcement actions as well. Fresh off its Alpine victory, the SEC brought an enforcement action against GWFS for failure to file 130 SARs and including insufficient information in the 297 SARs it did file. According to the SEC’s order, from September 2015 through October 2018, GWFS “began detecting increasing numbers of attempts by bad actors to gain unauthorized access” to customer accounts. Although the broker-dealer’s systems were not hacked, cybercriminals gained access, among other things, by improperly using customer personal identifying information. The order also alleged that approximately 130 suspicious transactions that required SARs were reported to GWFS’ BSA officer. In some instances, it was determined that SARs should be filed, but no SARs were filed for any of the transactions. The SEC further alleged that when GWFS did file 297 SARs following actual or attempted takeovers, it failed to include the five essential elements of the suspicious activity reported. This was true even when GWFS had ample information to report, including, for example, the IP addresses and email addresses of the cybercriminals.
The GWFS order illustrates that the SARs reporting obligation can be implicated in many ways. Importantly, the SEC now has access to more data concerning data breaches than they previously did that they could use in SARs filing sweeps or initiatives of broker-dealers or registered funds. Because the SEC and other regulators are now likely to continue focusing on financial institutions’ compliance with AML requirements even in the cybersecurity space, organizations should pay special attention to any transactions that may require SAR reporting.
Practical Takeaways
Given the SEC’s increased enforcement of SAR requirements, financial institutions should be careful to assess they have appropriate procedures in place to monitor, detect, and report suspicious activities. Firms’ AML and cybersecurity departments should take coordinated measures to stay abreast reporting requirements, or they may run afoul SEC’s expectations.
There are several steps organizations should take to ensure compliance with SARs reporting for cyber events, including:
- assess whether the organization’s AML and cybersecurity departments are in communication
- train personnel to ensure they adhere to internal processes for identification and referral of any suspicious activity
- build in policies requiring IT to report cyber events to compliance for evaluation for SARs filing requirements, and include SARs reporting considerations in formal incident response plans
- have period testing procedures in place to ensure compliance is occurring
- ensure that all SARs are filed within 30 days of detection of the suspicious activity
- ensure the SARs filing includes the five essential elements – who? what? when? where? and why? – of the information being reported
- consult with counsel following a cyber event to evaluate potential SAR filing obligations
Colleen Brown and Ranah Esmaili are Partners with Sidley’s Privacy and Cybersecurity Practice. Laura Sorice and Rimsha Syeda are Associates with Sidley’s Privacy and Cybersecurity Practice.