When the New York Department of Financial Services (“NYDFS”) issued its new cybersecurity rules in March, one question came up frequently: When are covered entities required to report an unsuccessful cyber attack? The rules provide that notification must be made to the NYDFS within 72 hours from a determination that a cybersecurity event has occurred that has a reasonable likelihood of materially harming normal operations, and the definition of a cybersecurity event includes an unsuccessful attack. In our Webinar on NYDFS cybersecurity compliance last month, we noted that an unsuccessful attack could meet the NYDFS notice requirement. For example, if a covered entity determined that it was under attack by North Korea’s Unit 180, we noted that this, by itself, could be reportable. The covered entity may decide that it had not anticipated or prepared for such a sophisticated and persistent cyber threat, and therefore conclude that the attack was either already successful in some way (or would soon be successful), even if the entity could not confirm that within 72 hours.
Last week, the NYDFS updated its FAQ page to provide guidance on when it expects to be notified of a unsuccessful attack, which follows the same general approach:
The Department anticipates that most unsuccessful attacks will not be reportable, but seeks the reporting of those unsuccessful attacks that, in the considered judgment of the Covered Entity, are sufficiently serious to raise a concern. For example, notice to the Department under 23 NYCRR Section 500.17(a)(2) would generally not be required if, consistent with its Risk Assessment, a Covered Entity makes a good faith judgment that the unsuccessful attack was of a routine nature.” . . . . Accordingly, Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.
There are two important takeaways from this guidance. First, the NYDFS uses the word “requested” rather than “required,” which is consistent with the rest of the update’s theme of the NYDFS using information about unusual threats to “improve cybersecurity generally across the industries regulated by the [NYDFS].” Indeed, the update stresses that the NYDFS “does not intend to penalize Covered Entities for the exercise of honest, good faith judgment.” So, while it may be rare that an unsuccessful attack requires notification, companies will have to consider NYDFS’s express request to receive information about unusual threats, even if unsuccessful, in making notification decisions.
Second, the update demonstrates the importance that the NYDFS will likely place on risk assessments in making decisions about whether companies have complied with the rules. Like decisions relating to cybersecurity programs generally, the NYDFS has now made clear that notification decisions should be informed by the results of the risk assessments that must be conducted under the rules.