Thread Options Tools
#1788 - 05/14/01 09:30 PM Reportable "crimes" to FBI

Is there any guidance concerning what computer "crimes" are required to be reported to law enforcement or the FBI? I'm not asking for guidance concerning a SAR. These would be instances which are below the threshold for reporting.

For instance, if an unknown individual defaces the bank's website, is that reportable? What about a hacker that gains access but does not access any customer information? There are many other examples that can be used. I"m looking for specific regulatory cites if possible. thanks in advance.

Return to Top
General Discussion
#1789 - 05/14/01 10:07 PM Re: Reportable "crimes" to FBI
David Dickinson Offline
10K Club
David Dickinson
Joined: Nov 2000
Posts: 18,762
Central City, NE
The SAR instructions state:
a) Computer Intrusion. For purposes of this report, “computer intrusion” is defined as gaining access to a computer system of a financial institution to:
i) Remove, steal, procure or otherwise affect funds of the institution or the institution’s customers;
ii) Remove, steal, procure or otherwise affect critical information of the institution including customer account information; or
iii) Damage, disable or otherwise affect critical systems of the institution.
For purposes of this reporting requirement, computer intrusion does not mean attempted intrusions of websites or other non-critical information systems of the institution that provide no access to institution or customer financial or other critical information.

David Dickinson

Return to Top
#1790 - 05/15/01 02:15 PM Re: Reportable "crimes" to FBI
RVFlyboy Offline
Power Poster
Joined: Oct 2000
Posts: 5,976
Soaring over Georgia
First, the SAR thresholds are not absolute - you can always report on a SAR activity that is below those thresholds.

FDIC put out some guidance on your question a few years ago in FIL 124-97 at that may help you. Also, in FIL 98-98 they reinforce my point above by encouraging institutions to file an SAR whenever they become aware of any attempt to access customer information via pretext calling.

Even if your illegal computer access resulted in no monetary loss, the potential for loss far in excess of the SAR reporting thresholds occurs whenever there is illegal computer access. You mentioned defacing the bank's website. How do you quantify the loss associated with that? How many potential customers did you lose? You'll never know.

Opinions expressed are my own, and do not necessarily reflect those of my employer.

Jim Bedsole, CRCM, CBA, CFSA, CAFP
My posts - my opinions

Return to Top