FDIC Requires Banks to Report Cyberattacks in 36 Hours
November 22, 2021
Federal bank regulatory agencies approved a final rule to improve the sharing of information about cyber incidents that may affect the U.S. banking system. The final rule requires a banking organization to notify its primary federal regulator of any significant computer-security incident as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred.
Notification is required for incidents that have materially
affected—or are reasonably likely to materially affect—the viability
of a banking organization’s operations, its ability to deliver
banking products and services, or the stability of the financial