HomeLawsSecurity Incident Notification LawsNYDFS Cyber Incident Reporting Requirement

NYDFS Cyber Incident Reporting Requirement

NYDFS Cybersecurity Regulation (23 NYCRR Part 500) – Incident Reporting Requirements

The NYDFS Cybersecurity Regulation, first adopted in 2017 and significantly amended in 2023, establishes mandatory cybersecurity standards for financial services companies licensed or regulated by the New York Department of Financial Services. A core component of the regulation is its rapid cyber incident reporting requirement, which mandates that covered entities notify NYDFS of certain cybersecurity events within a short timeframe.

Who Must Comply?

Any organization regulated by NYDFS, including:

  • Banks and trust companies
  • Mortgage lenders and servicers
  • Insurance companies
  • Money transmitters
  • Virtual currency businesses
  • Consumer lenders
  • Licensed financial services firms

If you hold a DFS license, charter, registration, or authorization, you are subject to Part 500.

📅 Incident Reporting Timeline

Notification must be made to NYDFS within 72 hours

Covered entities must notify NYDFS no later than 72 hours after determining that a cybersecurity event has occurred if the event:

  1. Requires notice to any other government body, self‑regulatory agency, or supervisory body, or
  2. Has a reasonable likelihood of materially harming:
  • The normal operations of the entity, or
  • Any material part of its information systems

This 72‑hour requirement is strict and applies even if the full scope of the incident is not yet known.

🔍 What Counts as a Reportable Cybersecurity Event?

A “cybersecurity event” is broadly defined as:

Any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or information stored on such system.

However, not all events are reportable. They become reportable when they meet one of the two triggers above.

Examples of reportable events include:

  • Ransomware attacks
  • Unauthorized access to nonpublic information
  • Significant system outages caused by cyber events
  • Data exfiltration or compromise
  • Attacks requiring notice under other laws (e.g., GLBA, HIPAA, state breach laws)

🆕 2023 Amendments – Expanded Reporting Requirements

The 2023 amendments strengthened the reporting obligations:

  1. Ransom Payments Must Be Reported
  • Within 24 hours of making a ransom payment
  • A follow‑up report within 30 days explaining:
  • Why payment was made
  • Alternatives considered
  • Due diligence performed
  • How the incident occurred
  1. Third‑Party Service Provider Incidents

Incidents affecting third‑party vendors must be reported if they impact the covered entity’s operations or data.

  1. Additional Governance Requirements

Boards and senior officers must certify compliance annually, increasing accountability for timely reporting.

📄 What Must Be Included in the Report?

NYDFS expects:

  • Description of the event
  • Date and time of detection
  • Systems and data affected
  • Whether nonpublic information was compromised
  • Mitigation steps taken
  • Impact on operations
  • Whether law enforcement or other regulators were notified

NYDFS may request additional details as the investigation evolves.

⚠️ Consequences of Non‑Compliance

NYDFS has broad enforcement authority. Penalties may include:

  • Civil monetary penalties
  • Consent orders
  • Remediation mandates
  • Public enforcement actions
  • Potential license impact for severe violations

NYDFS has historically imposed multi‑million‑dollar penalties for cybersecurity failures, including delayed or incomplete incident reporting.