After the Incident: Navigating Notification Obligations

Imagine this: Your financial services organization handles sensitive customer information and falls victim to a ransomware attack. An employee clicks on a phishing email, triggering a series of events that compromise your systems. You make a ransom payment to regain access, only to discover that personal customer data was stolen. Now, you face a maze of notification requirements.

Immediate Action

First, you must notify the SEC. Under Reg SCI, notification is required unless the incident has minimal organizational impact. Under Rule 10, notification is required if you reasonably believe the incident occurred. Both timelines start ticking immediately.

24 Hours After an Incident

Next, as a financial institution, you must inform the New York Department of Financial Services (NYDFS) about the ransomware payment within 24 hours.

36 Hours After an Incident

36 hours after the event, under the Computer-Security Incident Notification Rule, you notify your primary regulator—be it the OCC, Reserve Board, or FDIC—using their specified forms. 

48 Hours After an Incident

At the 48-hour mark, the SEC Investment Advisor Rule kicks in, requiring notification based on whether the incident “has occurred or is occurring.” This calls for careful analysis to ensure compliance.

72 Hours After an Incident

By 72 hours, you’ll notify NYDFS again for a “qualifying cybersecurity event.” If your organization sells insurance, you must also notify state insurance commissioners. Here, the “has occurred or is occurring” standard remains crucial.

4 Business Days + Materiality 

If the incident is deemed material—meaning it could influence an investor’s decision—it must be reported to the SEC within four business days of that determination. Simultaneously, you may need to notify law enforcement agencies like the FBI or FinCEN, and regulatory bodies such as the CFPB.

Business Obligations After an Incident

Beyond regulatory requirements, you’ll likely have obligations to your board, insurer, and customers. This includes informing affected individuals, state attorneys general, and third-party partners as specified in your contracts.

Cyber Risk Management Documentation is Key

Meticulous documentation of decisions, actions, and communications is essential throughout this process. It ensures compliance, provides clarity, and supports timely resolutions. Thorough documentation serves a multitude of critical purposes:

• Ensure Compliance: Comprehensive documentation helps demonstrate adherence to legal and regulatory requirements, industry standards, and internal policies. This can be invaluable in the event of audits, investigations, or legal proceedings.
• Provide Clarity: Clear and well-organized records provide a transparent account of the incident, the response, and the rationale behind key decisions. This can be essential for internal and external stakeholders who need to understand what happened and why specific actions were taken.
• Support Timely Resolutions: Detailed documentation can facilitate efficient and effective incident resolution by providing a readily available reference for all involved parties. This can help prevent misunderstandings, streamline communication, and expedite the recovery process.
• Aid in Future Incident Response: Thorough documentation of lessons learned and best practices can be used to improve future incident response efforts. By capturing and analyzing this information, organizations can identify areas for improvement and develop more effective strategies for managing similar incidents in the future.

Stay Ahead of Regulatory Requirements with Radar^® Compliance

Cyber incidents are complex, but managing them doesn’t have to be. With Radar^® Compliance, you can simplify reporting obligations and streamline your response with tools that help you track, assess, and notify—on time, every time.