What Regulations Apply to Financial Breach Notification?
Financial institutions are subject to a layered stack of federal and state regulations, each with its own trigger, deadline, and audience. A single breach at a publicly traded bank operating in New York with a card payment environment can simultaneously trigger five separate notification obligations. The matrix below maps each regulation to its key parameters.
| Regulation | Who It Covers | Notification Trigger | Deadline | Notify Whom | Enforcer |
|---|---|---|---|---|---|
| GLBA Safeguards Rule | FTC-supervised financial institutions (lenders, brokers, non-bank fintechs) | Unauthorized acquisition of unencrypted customer information affecting 500+ customers | 30 days from discovery | FTC (electronically); customers per state law | FTC |
| NYDFS 23 NYCRR 500 | Any entity holding a NY DFS license (banks, insurers, mortgage servicers) | Cybersecurity Event that has a reasonable likelihood of materially harming NPI or NY operations | 72 hours from discovery | NY Superintendent of Financial Services via NYDFS portal | NY DFS |
| SEC Rule (Form 8-K Item 1.05) | SEC-reporting public companies (all industries, including financial) | Materiality determination — reasonable investor would consider it important | 4 business days after materiality determination | SEC via EDGAR; investors via 8-K filing | SEC |
| PCI DSS v4.0 | Any entity that stores, processes, or transmits cardholder data | Suspected or confirmed breach of cardholder data environment (CDE) | 24 hours — notify acquiring bank and card brands (Visa/MC/Amex) | Acquiring bank; card brands; then PFI engagement | Card brands; acquiring bank |
| FFIEC Guidance (Bank Regulators) | Banks supervised by OCC, FDIC, Federal Reserve, NCUA | Computer-security incidents that materially disrupt or degrade services or customer data | 36 hours from determination (bank notification to primary regulator) | Primary federal banking regulator (OCC, FDIC, or Fed) | OCC / FDIC / Fed / NCUA |
| State Breach Laws | All entities holding state residents' PII | Varies by state — most require breach of "unencrypted" PII | 30–90 days; NY SHIELD Act: "expedient" (no fixed window) | Affected individuals; state AG in many states | State AGs |
What Does the GLBA Safeguards Rule Require?
The FTC's updated GLBA Safeguards Rule (16 CFR Part 314), effective October 2023, requires FTC-supervised financial institutions to notify the FTC within 30 days of discovering a breach affecting 500 or more customers whose unencrypted customer information was, or is reasonably believed to have been, acquired without authorization. The notification is filed electronically through the FTC's online portal. Customer notification is governed separately by applicable state breach laws.
Who Is an "FTC-Supervised" Financial Institution?
- Mortgage lenders and brokers
- Non-bank auto lenders
- Pay-day lenders
- Fintech companies providing financial products (not banks)
- Tax preparers, accountants, appraisers
- Retailers offering credit cards or financing
Banks and credit unions are supervised by banking regulators, not the FTC, and follow FFIEC notification rules instead.
What Triggers the 30-Day FTC Notice?
All three conditions must be met:
- Unauthorized acquisition of customer information
- Information was unencrypted (or encryption key was also compromised)
- 500 or more customers affected
Below 500 customers, notify customers per applicable state law — no FTC notification required.
GLBA Safeguards Rule — Information Security Program Requirements
Beyond notification, GLBA requires a written information security program with risk assessments, access controls, encryption of customer data in transit and at rest, incident response planning, vendor oversight, and annual board-level reporting. OCR violations of these underlying requirements can multiply the cost of a breach response.
NYDFS Part 500: What Is the 72-Hour Rule?
23 NYCRR Part 500 requires any entity holding a license, registration, or charter from the New York Department of Financial Services to notify the Superintendent of Financial Services within 72 hours of determining that a "Cybersecurity Event" has occurred. The 2023 amendments to Part 500 tightened this requirement and added a second, separate 72-hour window for ransomware payment decisions—any ransom payment must be reported to DFS within 72 hours of payment, with a 30-day follow-up report.
What Qualifies as a "Cybersecurity Event" Under NYDFS?
Per 23 NYCRR 500.01(d), a Cybersecurity Event is any act or attempt, successful or not, to gain unauthorized access to, disrupt, or misuse an information system or NPI. Notification is required when the event:
- Has a reasonable likelihood of materially harming any material part of normal operations, OR
- Results in unauthorized access to or use of privileged accounts, OR
- Involves deployment of ransomware within a material part of systems
| Hour Window | Required Action | Who Acts |
|---|---|---|
| 0–24 | Confirm qualifying Cybersecurity Event. Activate IR team. Begin containment. Notify CISO and General Counsel. | Security team, CISO |
| 24–48 | Draft NYDFS notification. Assess scope of NPI involved. Notify Board. Engage outside counsel. | CISO, General Counsel, Board |
| 48–72 | Submit notification via NYDFS Cybersecurity Portal. Preserve evidence. Notify affected business units. | Compliance, Legal |
| 72 hrs + 30 days | If ransom was paid: submit ransom payment report within 72 hours of payment; file 30-day follow-up report. | Legal, Compliance |
2023 Amendment — Covered Entity Defined Broadly: The 2023 amendments extended Part 500 obligations to any entity that controls or is controlled by a covered entity—meaning holding companies and affiliates of NY-licensed financial firms are also subject to the 72-hour requirement even if they themselves hold no NY license.
SEC Form 8-K Item 1.05: When and What Must Public Companies Disclose?
Under SEC rules effective December 2023, public companies must file a Form 8-K under Item 1.05 within four business days of determining that a cybersecurity incident is material. The four-day clock starts at the point of materiality determination—not necessarily the point of discovery. The filing must describe the nature, scope, and timing of the incident and its material or reasonably likely material impact on the registrant.
What Makes an Incident "Material"?
The SEC applies the reasonable investor standard: information is material if there is a substantial likelihood that a reasonable investor would consider it important. Relevant factors include:
- Financial impact (revenue loss, remediation costs, insurance)
- Operational disruption (ability to deliver products or services)
- Reputational harm (customer churn, brand damage)
- Regulatory consequences (fines, consent orders, license revocations)
- Litigation exposure (class actions, derivative suits)
Delay Exception — Narrow and Rare
A company may delay filing only if the U.S. Attorney General certifies in writing that disclosure would pose a substantial risk to national security or public safety. This exemption is exceedingly rare—fewer than five cases have relied on it since the rule's effective date.
Do not assume this exemption applies. Engage securities counsel immediately.
SEC Form 8-K Item 1.05 Template
FORM 8-K
CURRENT REPORT
Pursuant to Section 13 or 15(d) of the Securities Exchange Act of 1934
Date of Report (Date of earliest event reported): [Date]
[Company Name]
(Exact name of registrant as specified in its
charter)
Item 1.05 Material Cybersecurity Incidents.
On [Date], [Company Name] (the "Company") identified a cybersecurity incident involving [brief description of incident type, e.g., "unauthorized access to certain of the Company's systems"].
Nature and Scope:
The incident involved [describe what systems/data were affected]. The Company became aware of the incident on [Discovery Date] and immediately activated its incident response protocols, including engaging external cybersecurity experts to conduct a forensic investigation.
Affected Data:
Based on the investigation to date, the Company believes that the incident may have affected [describe data types: customer information, employee records, financial data, etc.]. The Company estimates that approximately [Number] individuals may have been affected.
Response and Remediation:
Upon discovery, the Company took immediate steps to contain the incident, including [list specific actions: isolating affected systems, resetting credentials, deploying enhanced monitoring, etc.]. The Company has notified law enforcement and is cooperating with their investigation. The Company is in the process of notifying affected individuals and relevant regulatory authorities as required by applicable laws.
Material Impact:
The Company is continuing to assess the full scope and impact of this incident. While the investigation is ongoing, the Company currently estimates that costs associated with this incident, including remediation, legal fees, customer notification, and credit monitoring services, could range from $[X] million to $[Y] million. [If applicable: The Company maintains cybersecurity insurance with a coverage limit of $[Z] million.]
SIGNATURES
Pursuant to the requirements of the Securities Exchange Act of 1934, the registrant has duly caused this report to be signed on its behalf by the undersigned hereunto duly authorized.
[Company Name]
By: _________________________
Name: [Name]
Title: [Title, e.g., Chief Financial Officer]
Date: [Date]
Note: This template is for reference only. SEC filings are legal documents reviewed by the SEC's EDGAR system and, increasingly, by the Division of Enforcement. Always prepare with securities counsel before filing.
PCI DSS v4.0: What Changes for Breach Response?
PCI DSS v4.0 became mandatory on March 31, 2024, replacing v3.2.1. It introduced 64 new requirements, including stricter authentication standards (Requirement 8), enhanced logging (Requirement 10), and targeted risk analysis (TRA) as an alternative compliance approach. For breach response, the core obligations remain: immediately contain the breach, notify your acquiring bank and the relevant card brands (Visa, Mastercard, American Express, Discover) within 24 hours, and cooperate with a PCI Forensic Investigator (PFI).
| Phase | Timeline | Action | PCI DSS Requirement |
|---|---|---|---|
| Immediate Containment | Hour 0–6 | Isolate compromised systems; preserve logs; disable compromised payment terminals or integrations | Req. 12.10 (IR plan activation) |
| Acquirer & Brand Notification | Within 24 hours | Notify acquiring bank; acquiring bank notifies Visa/MC/Amex/Discover via their respective incident portals | Req. 12.10.7 |
| PFI Engagement | Within 3–5 days | Card brands typically mandate engagement of a PCI Forensic Investigator to conduct an independent forensic review | Card brand operating rules |
| Preliminary Forensic Report | Within 10–15 days | PFI delivers preliminary findings to card brands and acquirer; identifies all compromised account data | Card brand operating rules |
| Final PFI Report | Within 60–90 days | Full forensic report; card brands assess fines and may revoke processing privileges | Card brand operating rules |
New in v4.0: Requirement 10.7 now mandates detection of failures of critical security controls within 24 hours—meaning your logging and alerting must catch a POS malware infection or skimming attack fast enough to meet the 24-hour acquirer notification window. Gap-test your detection capability before an incident, not during one.
FFIEC Guidance: What Do Banking Regulators Expect?
The FFIEC Computer-Security Incident Notification Rule, which became effective May 1, 2022, requires banking organizations supervised by the OCC, FDIC, Federal Reserve, or NCUA to notify their primary federal regulator within 36 hours of determining that a "computer-security incident" has risen to the level of a "notification incident"—meaning it has materially disrupted or degraded the institution's ability to carry out banking operations or deliver banking products and services, or has caused material harm to customers.
36-Hour Bank Notification Triggers
- Large-scale distributed denial of service (DDoS) attacks disrupting customer access
- Ransomware locking core banking systems (loan origination, core deposits)
- Unauthorized access to customer account information at scale
- Failure of a bank service provider that materially disrupts bank operations
- System compromise that triggers a material BSA/AML compliance failure
Bank Service Provider Notification to Banks
Under the same rule, bank service providers (core processors, cloud providers, payment processors) must notify each affected bank customer as soon as possible following a notification incident. Banks must contractually require this notification obligation in all material service provider agreements.
Frequently Asked Questions
What is NYDFS Part 500 and who must comply?
NYDFS Part 500 (23 NYCRR 500) is New York's cybersecurity regulation for financial services companies licensed by the NY Department of Financial Services. Covered entities—banks, insurers, mortgage companies, and other licensed financial firms—must notify NYDFS within 72 hours of discovering a qualifying cybersecurity event. The 2023 amendments extended coverage to holding companies and affiliates of DFS-licensed entities.
Do I have to disclose a breach to the SEC?
Public companies must disclose material cybersecurity incidents on Form 8-K Item 1.05 within four business days of determining the incident is material. Materiality is assessed under the reasonable investor standard. The SEC actively reviews these filings and has brought enforcement actions for inadequate, late, or misleading disclosures.
What does the GLBA Safeguards Rule require after a breach?
Under the FTC's updated GLBA Safeguards Rule (effective October 2023), FTC-supervised financial institutions must notify the FTC within 30 days of discovering a breach affecting 500 or more customers whose unencrypted information was acquired without authorization. Customer notification timing is governed by state breach laws, which vary from immediate ("expedient") to 90 days.
What does PCI DSS v4.0 require after a breach?
PCI DSS v4.0 (mandatory since March 2024) requires entities that handle cardholder data to immediately contain a breach, notify their acquiring bank and card brands (Visa, Mastercard, American Express, Discover) within 24 hours of a suspected breach, and cooperate with a PCI Forensic Investigator (PFI) assessment mandated by the card brands.
Related Resources
Need Financial Services IR Expertise?
Financial institutions face simultaneous obligations to the FTC, NYDFS, SEC, OCC, FDIC, and card brands. Connect with IR firms that specialize in banking, insurance, and fintech breach response.