A question for community banks.
We are having differences of opinions on what needs to be tracked and reported. Like all banks we have programs to detect and prevent various attempts throughout the day. Of course, we would report a true successful hack but, frankly, we don't know whether or not we should be tracking and reporting the usual suspects, compile the data as per the guidance, and send a monthly SAR on all those unsuccessful attempts.
Please let me know how you are handling this requirements.
Thank you.

Trees if this is reference to NYS DFS 500.17 you may get other info in the NY thread as you are from NY.

As far as SAR is concerned Randy had a good thread

I do not believe that they specified what needs to be report to the NY supervisor.

Section 500.17 Notices to Superintendent.
(a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as
possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is
either of the following:
(1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any
government body, self-regulatory agency or any other supervisory body; or
(2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the
normal operation(s) of the Covered Entity.
(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior
calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying
that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall
maintain for examination by the Department all records, schedules and data supporting this certificate for a period of
five years. To the extent a Covered Entity has identified areas, systems or processes that require material
improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts
planned and underway to address such areas, systems or processes. Such documentation must be available for
inspection by the superintendent.
Section 500.18


And from the FAQ

When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)?
23 NYCRR 500.17(a) requires Covered Entities to notify the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred. A Cybersecurity Event is reportable if it falls into at least one of the following categories:
â—¾ the Cybersecurity Event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
â—¾ the Cybersecurity Event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.

An attack on a Covered Entity may constitute a reportable Cybersecurity Event even if the attack is not successful.

http://www.dfs.ny.gov/about/cybersecurity_faqs.htm

Thanks to you both. I've read and reread the Fed's guidance and FAQs. As well, the NYS requirements. To date, we have had no Cyber events along the lines of the examples provided by FINCEN. We do have the usual attempts throughout the day which attempts have been unsuccessful getting through our firewalls. Our system records that an attempt took place and records to IP address but that is it. The attempts are thwarted.
I know that the guidance includes a provision that banks can, but are not obligated to, report such attempts as I described above. My question is more focused on those types of attempts. We can provide some of the info provided in Question 1. We want to know if banks have routinely been culling this info and sending it periodically in a SAR report,most probably in an excel type report based on the number of such attempts that are made daily.