The financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. In 2022, Congress established a uniform reporting standard that applies to every major sector of the economy and outlines expectations for how the private sector and its government partners should share information following a cyber incident. Regulators are now working to implement the legislation and it is important to ensure that any new expectations are harmonized and align with existing requirements for financial firms; this helps to avoid disruptions that may negatively affect a financial institutions’ ability to respond to an incident and reduces the risk of developing new rules that either duplicate or conflict with existing regulations.
In addition to reporting from the private sector, it is critical that federal agencies and independent regulators also report incidents when they experience a breach that affects the sensitive information of businesses or consumers.
To help guide implementation efforts, the following is a snapshot of some of the existing requirements that apply to financial institutions.
U.S. Federal Requirements and Proposals
1. Cyber Incident Reporting for Critical Infrastructure Act (2022)
Requires critical infrastructure companies to report significant cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) within 72 hours. It also requires firms to report a ransomware payment within 24 hours. CISA is required to issue a proposed rule to implement these requirements no later than March 2024.
- Reporting Timeline – 72 hours after determining a cyber incident has occurred.
- Definitions – Significant cyber incidents are defined as an incident or group of incidents that are likely to result in demonstrable harm to national security interests, foreign relations, or the economy, or to public confidence, civil liberties, or public health and safety. Other key definitions for types of entities required to report and specific information required will be determined through a rulemaking process.
- Scope of Reporting – A “covered cybersecurity incident” to be defined through the rulemaking process.
- Reporting Mechanism – Reports to be provided to CISA according to requirements set through the final rule.
2. Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (2022)
Under the final rule issued jointly by the Office of the Comptroller of the Currency, Federal Reserve Board, and the Federal Deposit Insurance Corporation, incident notification is triggered to the banking organization’s primary federal regulator upon determination that a computer-security incident has occurred that has caused, or is reasonably likely to cause actual harm to the institution’s operations and ability to deliver products and services to a significant portion of its customers, or could pose a risk to the financial stability of the United States.
- Reporting Timeline – as soon as possible but no later than 36 hours from the determination by the banking organization that an event has crossed the notification incident materiality threshold.
- Definitions – A computer security incident is defined as an occurrence that jeopardizes confidentiality, integrity or availability of an information system or the information a system processes, stores, or transmits[1]; a notification incident is defined as a significant computer security incident that has, or is reasonably likely to jeopardize the viability of the operations of a financial institution, prevent customers from accessing their deposit and other accounts, or impact the stability of the financial sector.
- Scope of Reporting – covers nonpublic customer information and information technology systems[2].
- Reporting Mechanism – Notification to be provided to the primary federal regulator; intended to provide early awareness of emerging threats to individual institutions and potentially the broader financial system.
3. SEC Proposed Rule on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure (2022)
On March 9, 2022, the SEC released a notice of proposed rulemaking to enhance disclosure requirements for registered public companies. Among several requirements designed to provide investors with information about cybersecurity risk management, governance, and strategy, the proposal requires public companies experiencing a material cybersecurity incident to disclose certain non-technical information in an 8-K filing within four business days of the materiality determination. It further requires additional details to be provided on 10-Q and 10-K filings. Additionally, incidents that are immaterial but could become material in the aggregate are required to be reported as an element of the 10-K filing.
- Reporting Timeline – Within four business days following determination that a material incident has occurred.
- Definitions – Materiality is defined within the established SEC standard for public company disclosures.
- Scope of Reporting – Covers all material cybersecurity incidents within the four-day period, and immaterial incidents that become material in the aggregate for the annual reporting period.
- Reporting Mechanism – Reporting and disclosures provided through investor disclosures (8-K, 10-Q, and 10K).
4. SEC Proposed Rule on Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies (2022)
- Reporting Timeline – Promptly, but within 48 hours after having a reasonable basis to conclude that a significant incident has occurred or is occurring.
- Definitions – A significant incident is defined as a single or combination of cyber incidents that significantly disrupt or degrade an adviser’s ability, or the ability of a private fund client of the adviser, to maintain critical operations.
- Scope of Reporting – Covers significant incidents as defined by the proposed rule, as well as certain unauthorized access or use of adviser information resulting in substantial harm to the adviser, client, or an investor in the private fund whose information was accessed.
- Reporting Mechanism – New proposed form that includes general and specific questions related to the significant cybersecurity incident (e.g., nature and scope and whether disclosure has been made to clients and/or advisers).
5. Securities & Exchange Commission (SEC) Guidance on Public Company Cybersecurity 10-Q, 10-K and 8- K Disclosures (2018)
On Feb. 26, 2018, the SEC released a clarification to earlier 2011 general disclosure guidance that warned public companies that cyber incidents may have to be reported through public disclosures. The clarification guidance puts public companies on more stringent notice with regard to breach notification practices and requires reporting of material cyber incidents and their potential security risks within quarterly, yearly and, if needed, current filings.
- Reporting Timeline – Dependent on the materiality of a given incident in relation to the timing of the preparation and release of a periodic disclosure filing, but states that it is critical that public companies take all required actions to inform investors about material cybersecurity risks and incidents in a timely fashion.
- Scope of Reporting – Covers material cybersecurity incidents and associated potential security risks.
- Reporting Mechanism – Reporting/disclosure provided through investor disclosures (10-Q, 10-K and 8-K if necessary).
6. Gramm-Leach-Bliley Act (1999)
Under the GLBA and its implementing regulations[3], cyber incident reporting is triggered when a financial institution becomes aware of unauthorized access to sensitive customer information that is, or is likely to be, a misuse of the customer’s information. To ensure adherence to these requirements, regulators conduct ongoing and rigorous reviews of institutions’ operating and governance processes, including data security and data handling processes and third-party risk management measures. Failure to report incidents and adhere to these requirements could result in serious enforcement measures including mandatory corrective action directives, restrictions on activities and fines.
- Reporting Timeline – as soon as possible once the institution determines unauthorized access occurred.
- Definitions – A cyber incident is defined as unauthorized access to sensitive customer information.
- Scope of Reporting – Covers nonpublic customer information such as personally identifiable financial information, financial transaction information, income and credit rating data, etc.
- Reporting Mechanism – Report provided to regulators; information becomes part of ongoing regulatory oversight/examinations.
European Union Requirements
7. European Union General Data Protection Regulation (GDPR)
GDPR sets specific privacy parameters for use, data security and handling of consumer data.
- Reporting Timeline – not later than 72 hours after becoming aware of the breach
- Definitions – A “data breach” is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
- Scope of Reporting – Personal data[4]
- Reporting Mechanism – Entities report to the agency designated by each Member state, which then notifies other Member states as needed.
8. European Union NIS Directive 1.0.
In 2016, the EU mandated cyber incident reporting for all sectors defined under the term Essential Services which is like the U.S. term of Critical Infrastructure. However, the EU has both mandatory security mandates on Digital Service Providers and stricter reporting requirements on DSPs[5]. The EU is in the midst of updating the NIS Directive 2.0 where notification must occur with any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible, via network and information systems.
- Reporting Timeline – 24 hours from when an entity is aware of an incident, and then a report 30 days later.
- Definitions – An incident means any event having an actual adverse effect on the security of network and information systems.[6]
- Scope of Reporting – The Directive does not define the threshold of what is a significant incident requiring notification to the relevant EU Member state national authority and defines three parameters for reporting: number of users affected; duration of incident; geographic spread. DSPs have five requirements that are broader.
- Reporting Mechanism –Entities report to the agency designated by each Member state.
Insurance Industry Requirements and Model Legislation
9. National Association of Insurance Commissioners (NAIC) Model Law
Insurance is a state-regulated business model overseen by the insurance commissioners of the 50 states. Financial institutions with insurance subsidiaries must operate within these 50 jurisdictions under the rules of the several states in which they provide insurance products. The National Association of Insurance Commissioners (NAIC) developed a cybersecurity framework model law that guides states in adopting their own statutes on cyber incident notification. The model law is not binding until adopted by an individual state; states are free to modify or decline to adopt any aspect or provision of the model law through their state legislative process. As of July 2021, less than 20 states have adopted the model law in whole or part, but its framework is under active consideration in many more.
- Reporting Timelines – Under the language of the model law, notification is to be made as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred. However, adopting states are free to, and do, vary their reporting timelines.
- Definitions – A cybersecurity event means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such an Information System. An Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
- Scope of Reporting – Under the language of the Model Law, covers information systems and information stored on information systems.
- Reporting Mechanisms – Under the language of the Model Law, notification is made to the state insurance commissioner and affected consumers as directed by the adopting state’s data breach notification law.
State Requirements
10. New York Department of Financial Services (NYDFS) Cybersecurity Regulation
The NYDFS regulations[7] became effective on March 1, 2017, and add another layer of mandatory cybersecurity reporting requirements for financial services companies. A financial institution must notify NYDFS when a cyber event triggers reporting to any other government body, regulatory or self-regulatory agency. Notification is also triggered if there is a reasonable likelihood of material harm to the institution’s operations.
- Reporting Timeline – 72 hours from the determination that a cyber event has occurred.
- Definitions – A cyber event is defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system.
- Scope of Reporting – Covers nonpublic customer information and information technology systems[8]
- Reporting Mechanism – Report provided to NYDFS; information becomes part of ongoing regulatory oversight
11. State Data Breach Notification Requirements
All 50 states have codified a version of a consumer data breach notification statute[9], which contains provisions intended to protect against unauthorized access of computerized data and personal information. The statutes generally also require notification to affected residents of the state whose personal information was or is reasonably believed to have been compromised. In most cases, the statute also requires notice in varying combinations to the state’s Attorney General, state law enforcement and credit reporting agencies. Although in many states financial institutions are statutorily exempted or deemed in compliance due to their existing compliance with federal standards like GLBA, federal banking regulatory guidance, or in some cases, by operation of their supervision by a federal entity, the exemption provides little relief. Still, many financial institutions purposefully do not avail themselves of the state exemption and notify the relevant state authority to avoid being penalized for inadvertent nondisclosure.
- Reporting Timelines – Varies by state, ranging from “within the most expedient time possible and without unreasonable delay…” to “72 hours from the determination that a cyber event has occurred…”
- Definitions – Varies by state.
- Scope of Reporting – Varies by state but generally covers unauthorized access of personal information.
- Reporting Mechanisms – Varies by state, but nearly always requires notice to affected residents of the state, and generally some combination of the state Attorney General, state law enforcement, and credit reporting agencies. It can also occasionally require notice to subordinate state regulatory offices as directed by the state legislature or state executive.
Key Definitions
Systemically Important Financial Institutions
Congress is also considering creating a new definition for critical infrastructure, “Systemically Important Critical Infrastructure (SICI),” modeled after the financial designation of Systemically Important Financial Institutions (SIFI). Under Section 113 of the Dodd-Frank Act, a financial institution may be named a SIFI if the nature, scope, size, scale, concentration, interconnectedness, or mix of its activities could pose a threat to U.S. financial stability. The designation is made by the Financial Stability Oversight Council[10] and subjects institutions to enhanced regulatory standards.
Information Technology Systems
NIST defines an information technology system as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”[11]
[1] This definition is taken from NIST which states a computer security incident is “an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” See NIST, Computer Security Resource Center, Glossary https://csrc.nist.gov/glossary/term/Computer_Security_Incident
[2] The NPR does not define information technology systems.
[3] Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. See https://www.federalregister.gov/documents/2005/03/29/05-5980/interagency-guidance-on-response-programs-for-unauthorized-access-to-customer-information-and
[4] Personal data is under GDPR here: https://gdpr-info.eu/art-4-gdpr/
[5] Essential Services are defined by the EU in the NIS Directive and were implemented in 2016. See: https://eur-lex.europa.eu/eli/dir/2016/1148/oj
[6] For definition of “incident,” see https://eur-lex.europa.eu/eli/dir/2016/1148/oj
[7] See New York Codes, Rules and Regulations (23 NYCRR 500). https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)
[8] Defined as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”
[9] See “Sample of Cyber-Incident Notification Requirements”
[10] For more information on FSOC see https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/about-fsoc
[11] See https://csrc.nist.gov/glossary/term/information_system.