Cyber Security Regulation Maze - Is the CISO’s, Compliance Officer’s and General counsel’s life getting more complicated?

The SEC has updated another rule regarding unauthorized access. The material security incident addressed in the 2023 updated 8-K rule is now supplemented by Regulation S-P, which requires reporting within 30 days:

1. Covered institutions must provide notice of a breach as soon as possible, but no later than 30 days, if customer information was accessed by an unauthorized user. This notice must include details of the incident, the type of data that was breached, and guidance on how affected customers can protect themselves.

2. The incident response program must require institutions to notify individuals whose sensitive information was compromised.

3. Covered institutions must give notice of a breach as soon as possible but no later than 30 days if customer information was accessed by an unauthorized user. This notice must provide details of the incident, the kind of data that was breached, and how affected customers can best protect themselves.

A. I am very curious about your thoughts around the new updated rule, are you taking any steps to change your procedures in your organization?

B. How do you define unauthorized access?

C. Do you have a clear and structured list with timelines setup in your organization as part of your cyber security Incident Response?

I am wondering - Does 'unauthorized access' also encompass:

1. Internal users, such as developers, who were not authorized but gained access to customer information due to a configuration error? OR

2. Mainly situations where internal users actually access the information? OR

3. Focuses on external unauthorized users and internal users who extracted information outside of the organization or had malicious intent?

4. Does this mean that an organization has to report a material cybersecurity incident in an 8-K within 4 business days and comply with Regulation S-P by providing notice within 30 days, covering points 1-3? NYFDS covered entities must notify the NYDFS as promptly as possible but no later than 72 hours from the determination that a cybersecurity event has occurred. Additionally, if the breach involves certain types of sensitive personal information, does the organization have to provide credit monitoring for one year, as required by state laws like those in California and Massachusetts, report the incident in accordance with HIPAA requirements (60 days to the individual, authorities a s public)  if regulated by HIPAA, and notify data protection authorities within 72 hours as required by GDPR?

5. In addition to the above, does the organization need to notify third-party data processors or vendors involved, make a public disclosure if necessary, and provide customer support services such as a hotline or dedicated team to handle inquiries and concerns?

——————-

Scenario

Scenario: Data Breach at XYZ Financial Services

Incident Overview:

On May 1, 2024, XYZ Services discovered that an unauthorized user had accessed their customer database due to a configuration error in their system. The breach involved sensitive personal information incl. PHI, Social Security numbers, driver’s license numbers, and financial account information of approximately 100,000 customers.

Regulatory and Legal Obligations:

1. Notification to Customers:

• Action: XYZ Services must provide notice of the breach to affected customers as soon as possible, but no later than 30 days from the discovery of the breach.

• Details: The notice will include details of the incident, the type of data breached, and guidance on how affected customers can protect themselves, including steps for monitoring their accounts and reporting suspicious activities.

2. Incident Response Program:

• Action: XYZ Services must ensure their incident response program requires notifying individuals whose sensitive information was compromised.

• Details: The response program must document the breach, actions taken to mitigate harm, and steps to prevent future breaches.

3. Reporting Requirements:

• Action: In compliance with Regulation S-P, XYZ Services must provide notice of the breach within 30 days.

• Details: The notice will detail the incident, the type of data breached, and protective measures for customers.

4. Additional Legal Compliance:

• 8-K Reporting: XYZ Services must report the cybersecurity incident in an 8-K filing with the SEC within 4 business days.

• NYFDS: XYZ Services must notify the NYDFS as promptly as possible but no later than 72 hours from the determination that a cybersecurity event has occurred

• Credit Monitoring: The company will offer one year of free credit monitoring to affected customers as required by California and Massachusetts state laws.
  

• HIPAA Compliance: If any breached information falls under HIPAA, XYZ Services will report the incident in accordance with HIPAA requirements.

• GDPR Compliance: As the breach affects customers in the EU, XYZ Services must notify the relevant data protection authorities within 72 hours as required by GDPR.

5. Third-Party Notification, Public Disclosure, and Customer Support:

• Third-Party Notification: XYZ Services will notify any third-party data processors or vendors involved in handling the breached information.

• Public Disclosure: Depending on the severity and public interest, XYZ Services will issue a press release to maintain transparency with stakeholders.

• Customer Support: The company will set up a dedicated hotline and customer service team to handle inquiries and concerns from affected customers.

https://www.darkreading.com/cyber-risk/sec-adds-new-incident-response-rules-for-financial-sector