You would not only file the SAR, but you would submit a copy of the SAR form and narrative to the U.S. Attorney's office for the district of your bank's headquarters location; and you would report the incident at
www.us-cert.gov (Homeland Security's new cyber incident section). Most importantly, you should have a competent audit or IT person
print the audit logging reports that you maintain for that system (I think you said a server), in order to retrieve and maintain access-event data, time and date information, and, assuming this is network-based, any tell-tale ISP information.
It is not just important to complete the SAR and technical report gathering, but it is equally if not more important to mitigate future events. I'm puzzled how you would immediately conclude this was someone "hacking" into your system -- assuming there are IDS and firewall appliances or software fronting your controller -- and I'm wondering if this could be a previous or disgruntled webmaster-type person. Anyone with a userID and password to your site can vandalize; it doesn't mean an external party did this. Also, what motivation would a non-interested party have in wasting time at your particular organization. The E&Y/FBI annual report of computer/technology crimes notes that over 90% of these types of incidents are related to an "insider" -- i.e., consultant, vendor, employee, etc., -- who actually knows of your log-on routines and userID naming conventions.