NYDFS Part 500: The 72-Hour Rule
If you're a covered entity under NYDFS Part 500, you must notify the New York Department of Financial Services within 72 hours of becoming aware of a "Cybersecurity Event."
What is a "Cybersecurity Event"?
Per 23 NYCRR 500.01(d), it's any act that:
- Jeopardizes the confidentiality, integrity, or availability of Nonpublic Information (NPI)
- Results in the unauthorized access to or misuse of an information system
- Causes a material disruption to normal business operations
| Hour | Action |
|---|---|
| 0-24 | Confirm it's a Cybersecurity Event. Activate Incident Response Team. Contain the breach. |
| 24-48 | Draft notification to NYDFS. Determine scope of impact. Notify CISO and Board. |
| 48-72 | Submit notification to NYDFS via the portal. Preserve evidence. Update stakeholders. |
SEC Form 8-K: Material Cybersecurity Incidents
Public companies must disclose "material" cybersecurity incidents on Form 8-K within 4 business days (Item 1.05).
What is "Material"?
The SEC defines materiality as information that a reasonable investor would consider important. Factors include:
- Financial impact (revenue loss, remediation costs)
- Operational disruption (can you deliver services?)
- Reputational damage (customer churn, brand impact)
- Regulatory consequences (fines, consent orders)
When NOT to File
You may delay filing if:
- The U.S. Attorney General determines disclosure would pose a "substantial risk to national security or public safety."
- You must obtain written confirmation from the AG.
Note: This exemption is rarely granted.
SEC Form 8-K Item 1.05 Template
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): [Date]
[Company Name]
(Exact name of registrant as specified in its charter)
Item 1.05 Material Cybersecurity Incidents.
On [Date], [Company Name] (the "Company") identified a cybersecurity incident involving [brief description of incident type, e.g., "unauthorized access to certain of the Company's systems"].
Nature and Scope:
The incident involved [describe what systems/data were affected]. The Company became aware of the incident on [Discovery Date] and immediately activated its incident response protocols, including engaging external cybersecurity experts to conduct a forensic investigation.
Affected Data:
Based on the investigation to date, the Company believes that the incident may have affected [describe data types: customer information, employee records, financial data, etc.]. The Company estimates that approximately [Number] individuals may have been affected.
Response and Remediation:
Upon discovery, the Company took immediate steps to contain the incident, including [list specific actions: isolating affected systems, resetting credentials, deploying enhanced monitoring, etc.]. The Company has notified law enforcement and is cooperating with their investigation. The Company is also in the process of notifying affected individuals and relevant regulatory authorities as required by applicable laws.
Material Impact:
The Company is continuing to assess the full scope and impact of this incident. While the investigation is ongoing, the Company currently estimates that costs associated with this incident, including remediation, legal fees, customer notification, and credit monitoring services, could range from $[X] million to $[Y] million. [If applicable: The Company maintains cybersecurity insurance with a coverage limit of $[Z] million and a deductible of $[A] thousand.]
[If applicable: The incident has resulted in [describe operational impact: temporary service disruptions, system downtime, etc.]. Normal operations have been [restored as of [Date] / are expected to be restored by [Date]].]
The Company does not currently believe this incident will have a material adverse effect on its financial condition or results of operations. However, the Company's assessment is preliminary and may change as the investigation continues.
Forward-Looking Statements:
This Current Report contains forward-looking statements regarding the potential impact of the cybersecurity incident. Actual results may differ materially from those expressed or implied in forward-looking statements as a result of various factors, including the ultimate scope of the incident, remediation costs, regulatory actions, and litigation.
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
[Company Name]
By: _________________________
Name: [Name]
Title: [Title, e.g., Chief Financial Officer]
Date: [Date]
π‘ Important: This template is for reference only. SEC filings are complex legal documents. Always work with securities counsel and your IR team before filing. The SEC reviews these disclosures closely.
GLBA: Customer Notification
The Gramm-Leach-Bliley Act requires financial institutions to notify customers if their "nonpublic personal information" (NPI) is compromised.
What Triggers GLBA Notification?
Unauthorized access to or acquisition of customer information that creates a reasonable risk of substantial harm or inconvenience.
Examples: SSNs, account numbers, credit card numbers, driver's license numbers.
Regulatory Contacts
NYDFS Notification
Portal: NYDFS Cyber Event Portal
Timeline: 72 hours from discovery
SEC Notification
Form: Form 8-K (Item 1.05)
Timeline: 4 business days (if material)
Frequently Asked Questions
What is NYDFS Part 500 and who must comply?
NYDFS Part 500 (23 NYCRR 500) is New York's cybersecurity regulation for financial services companies. If you are a bank, insurance company, or other covered entity operating in New York, you must notify NYDFS within 72 hours of discovering a cybersecurity event.
Do I have to disclose a breach to the SEC?
If you are a public company, the SEC requires disclosure of material cybersecurity incidents on Form 8-K within 4 business days. Whether an incident is 'material' depends on its impact on operations, finances, or investor confidence.
What is GLBA and how does it affect breach notification?
The Gramm-Leach-Bliley Act (GLBA) requires financial institutions to notify affected customers of breaches involving their personal financial information. The FTC enforces GLBA and expects prompt notification.
Need Financial Services IR Expertise?
Financial institutions face unique regulatory scrutiny. Connect with IR firms that specialize in banking, insurance, and fintech breach response.