A Deeper Look at the Criteria for Reporting a Breach to NYDFS

In the last newsletter, we discussed the NYS Department of Financial Services (“DFS”) recent efforts and its overall posture of ramping up enforcement.  One of the important points that we noted was that the hefty multi-million dollar penalties assessed by DFS were based in part on breaches that went unreported to DFS pursuant to the Cybersecurity Regulation.


As an example, on April 14, 2021, DFS announced a $3 million penalty against National Securities Corporation (“NSC”).  The DFS NSC announcement – https://dfs.ny.gov/reports_and_publications/press_releases/pr202104141 – specifically cited that NSC failed to report prior breaches.  “The Department’s investigation uncovered evidence that National Securities had been the subject of four cyber breaches between 2018 and 2020, two of which had not been reported to the Department as mandated by the Cybersecurity Regulation.”  


Thus, it is essential that an entity be familiar with the Cybersecurity Regulation and whether a breach is reportable.  As you know, 23 NYCRR Part 500 is the codification of the DFS Cybersecurity Regulation.    The regulation, specifically 23 NYCRR 500.17(a), requires DFS be notified about a cybersecurity event in two instances:  (1) If the cybersecurity event requires an entity to report to any other government body or agency; or (2) If the cybersecurity event has “reasonable likelihood of materially harming any material part of the normal operation(s)” of the entity.


In the next installment, we discuss each of the prongs related to reporting a breach and how to accurately assess an entity’s obligation as well as documenting that assessment.  As referenced above, there are serious and material consequences (at least three million of them according to DFS) for an entity to correctly assess a suspected breach and its associated obligations.