Cybersecurity Incidents and Events - The Cybersecurity Regulation

Since the original 2017 version of the Cybersecurity Regulation, Covered Entities were required to notify the DFS of any cybersecurity event. See 23 NYCRR 500.1(f), (g). In the most recent amendment to 23 NYCRR 500, Covered Entities are required to notify NYDFS of a qualifying "cybersecurity incident." See 23 NYCRR 500.1(f), (g).

Cybersecurity Event: any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System

Cybersecurity Incident: a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
1) impacts the covered entity and requires the convered entity to notify any government body, self-regulatory agency or any other supervisory body;
2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
3) results in the deployment of ransomware within a material part of the covered entity's information systems.

WHY is this important?

The original cybersecurity event definition generally covered malicious attacks on confidentiality, integrity, and availability, it mandates a continuous notification scheme to DFS.

In the recent amendments, cybersecurity incidents do not have to be situations where there was a malicious actor; but rather any flaw found within a Covered Entity's systems that impact the Entity, or have a reasonable likelihood of harming the Entity must not be reported.