US banks must soon report significant cybersecurity incidents within 36 hours

DMCA / Correction Notice
- Advertisement -

US financial regulators have approved a new rule that requires banking organizations to report any “significant” cybersecurity incident within 36 hours of discovery.

- Advertisement -

Under the rule, banks must notify their primary federal regulator of events that are likely to materially affect the viability of their operations, their ability to deliver products and services, or the stability of the US financial sector. Huh. This can include large-scale distributed denial of service (DDoS) attacks that disrupt customers’ access to banking services, or computer hacking incidents that disable banking operations for extended periods.

Additionally, banks – which the rule defines as “banking organisations”, which include national banks, federal consortiums and federal branches of foreign banks – must notify customers “as soon as possible” if the incident affects their customers. Affects for four hours or may occur or more.


“Computer-security incidents can result from destructive malware or malicious software (cyber attacks) as well as non-malicious failures of hardware and software, personnel errors, and other reasons,” Computer-Security Incident Notification Final Rule telling. “Cyber ​​attacks targeting the financial services industry have increased in frequency and severity in recent years. These cyber attacks can adversely affect the networks, data and systems of banking organizations and ultimately their ability to resume normal operations. can affect.

The final rule, approved by the Federal Deposit Insurance Corporation (FDIC), the Board of Governors of the Federal Reserve System (Board), and the Office of the Comptroller of the Currency (OCC), will be effective April 1, 2022. With full compliance expected by May 1, 2022.

- Advertisement -

It is not clear whether this rule will also apply to banking startups and fintech companies. Nerdshala contacted the FDIC for more but did not immediately hear back.

Financial regulators first proposed the notification requirement in December, but after receiving some negative feedback from industry groups, it was forced to change some elements of the final rule. For example, the original version stated that banks would have to report incidents if they “believe in good faith” they had suffered a significant cyber incident, but the industry warned that this could lead to a higher incidence of incidents. There could be over-reporting of a wide range, and the rule changed.

“After careful consideration of the comments, the agencies are replacing the ‘goodwill’ standard with the determination of a banking organization,” The final rule sums up, “The agencies agree with the commentators who criticized the proposed ‘believe in’ standard, which was too subjective and precise.”

Bank Policy Institute, one of the industry groups that commented on the regulation, said in a statement that it supported the last rule.

“BPI recognizes the value of timely notification and supports the final rule, which establishes a clear timeline and flexible process for notifying regulators and affected parties when a significant event occurs,” said BPI’s Technology and Risk Strategy. Heather Hogsett, senior vice president of “The rule significantly lays down a clear distinction between notification and reporting. Cyber ​​Incident Notification encourages early collaboration between regulators and banks to keep regulators informed of situations that could have broader implications for the financial system while banks work to respond and investigate the incident.

- Advertisement -

Stay on top - Get the daily news in your inbox

Recent Articles

Related Stories