New rule requires US banks to report cyber incidents within 36 hours

From May next year, US banks will be required to notify regulators within 36 hours of any significant cyber incident that could threaten national financial systems, under new rules announced by the US Federal Reserve.

The final rule requires a banking organisation to notify its primary federal regulator of any significant computer security incident as soon as possible – and no later than 36 hours – after it determines that a cyber incident has occurred.

Notification is required for incidents that have, or are reasonably likely to, materially affect the viability of a bank's operations, its ability to deliver products and services, or the stability of the financial sector.

In addition, the final rule requires a bank service provider to notify affected customers as soon as possible when the provider determines that it has experienced a cyber incident that has, or is reasonably likely to, materially affect customers for four or more hours.

    Share Story:

Recent Stories


Cyber physical risks
Property damage as a consequence of cyber attack is often excluded from standard property policies, but as the industrial internet of things expands, so too do the risks. This podcast examines the evolving threat landscape. Published October 2021

Financial institutions were early adopters of cyber security and insurance. Are they still on top of the game?
Managing huge amounts of sensitive data online makes financial institutions a prime target for hackers. As such, the sector was an early cohort for insurers in creating cyber cover. Since then, the market has evolved almost beyond recognition. It continues to challenge itself to this day, complying with rigorous regulatory demands and implementing avant-garde enhancements to keep abreast of the ever-changing risks. Published June 2021

Advertisement