Skip to content

Effective date of rule requiring notification of computer-security incidents

04/01/2022

The Federal Reserve Board, OCC, and FDIC jointly announced yesterday their approval of a final rulefinal rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system. The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred. Notification is required for incidents that have materially affected—or are reasonably likely to materially affect—the viability of a banking organization's operations, its ability to deliver banking products and services, or the stability of the financial sector.

In addition, the final rule requires a bank service provider to notify affected banking organization customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours.

The rule becomes effective April 1, 2022. Compliance with the rule is required by May 1, 2022.

See our March 30, 2022, Top Story for agency instructions for reporting incidents.

Penalties View All

Compliance Deadlines

By Status