US – Banks must report cyber attacks within 36 hours24. November 2021
US – Banks must report cyber attacks within 36 hours
Banks are now required to report all major cybersecurity incidents to their primary federal regulator within 36 hours of discovery. They must also notify customers if the incident could affect them for at least four hours.
Serious cybersecurity incidents include any incident that threatens the U.S. financial sector or prevents a bank from conducting its business.
The Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency have approved the new requirements.
The rules apply only to banks regulated by these three agencies.
The rules take effect April 1, 2022, and banks must comply by May 1, 2022.