It is always possible that your agency – or one of the third-party service providers (TPSPs) the agency works with – will be victimized by cyber criminals. If that happens, the New York financial services cybersecurity regulation requires you to notify the state Department of Financial Services (DFS.) While you’re attempting to limit and repair the damage, these are some questions that might come up:
What is a “cybersecurity incident"?
The regulation defines that term in two parts. The first is “cybersecurity event," which has a very broad meaning. It is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." Any of these could be a cybersecurity event:
- Someone enters the wrong password three times while trying to log into your network and gets locked out.
- Someone sends your office a phishing email.
- Someone outside your agency calls an employee and asks for their network password.
The DFS is not interested in hearing about most of that stuff. They want to hear about “cybersecurity incidents." These are cybersecurity events that:
- Have occurred at your work location, at any company related to your agency by ownership, or at a TPSP. and
- Impact your agency and require you to notify a governmental body such as the state police; or
- Have a reasonable likelihood of materially harming any material part of your normal operations; or
- Result in the deployment of ransomware within a material part of your computer systems.
If it affects you, one of your affiliates, or one of your TPSPs, and it either requires you to notify the authorities, will likely substantially harm any crucial parts of your operations, or results in extortionists shutting you down, you must report it to DFS.
When do we have to report the incident?
“(A)s promptly as possible but in no event later than 72 hours after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider." The clock starts ticking when your office has determined that an incident occurred. That could be when your technology people confirm that your systems were hacked, or it could be when a TPSP informs you that it has suffered a breach.
How do we report an incident?
The regulation requires the covered entity to make the report electronically on the DFS portal (https://myportal.dfs.ny.gov/). It’s the same portal where your agency makes the annual compliance filings and where agencies and individuals submit exemption filings when appropriate.
How do we fill out the report?
DFS has provided instructions on how to complete it.
What happens after we submit the report?
If DFS decides to investigate the matter, they may contact your office for additional information. Understand that, if the incident occurred to one of your insurance carriers, any agency significantly impacted by the incident is required to report. That means DFS may receive a large volume of notifications. It is possible that they might not contact every agency that notified them.
What happens if we do not report an incident?
The regulation states that any “failure to act to satisfy an obligation" is considered a violation. DFS has authority to penalize violators.
Anything else we should do?
Create the strongest cybersecurity program you can reasonably afford to reduce the odds that you will ever have to make this report. Your time is better spent serving your clients than repairing the damage a cyber-attack can cause.
Where can I get more information?
Three good sources: