New rule requires US banks to report cyber incidents within 36 hours

From May next year, US banks will be required to notify regulators within 36 hours of any significant cyber incident that could threaten national financial systems, under new rules announced by the US Federal Reserve.

The final rule requires a banking organisation to notify its primary federal regulator of any significant computer security incident as soon as possible – and no later than 36 hours – after it determines that a cyber incident has occurred.

Notification is required for incidents that have, or are reasonably likely to, materially affect the viability of a bank's operations, its ability to deliver products and services, or the stability of the financial sector.

In addition, the final rule requires a bank service provider to notify affected customers as soon as possible when the provider determines that it has experienced a cyber incident that has, or is reasonably likely to, materially affect customers for four or more hours.

    Share Story:


Cyber risk in the transportation industry
The connected nature of the transport and logistics industries makes them an attractive target for hackers, with potentially disruptive and costly consequences. Between June 2020 and June 2021, the transportation industry saw an 186% increase in weekly ransomware attacks. At the same time, regulations and cyber security standards are lacking – creating weak postures across the board. This podcast explores the key risks. Published April 2022.

Political risk: A fresh perspective
CIR’s editor, Deborah Ritchie speaks with head of PCS at Verisk, Tom Johansmeyer about the confluence of political, nat cat and pandemic risks in a world that is becoming an increasingly risky place in which to do business. Published February 2022.