On November 18, 2021, a group of federal bank regulators announced a final rule requiring banks to notify their primary federal regulator of any “significant computer-security incidents.” Regulators must be notified no later than thirty-six hours after the bank has determined that the incident triggers the rule’s notification requirement. Further, bank service providers are now required to promptly notify all affected banks whenever a cybersecurity disruption lasts for four or more hours.
The rule is the latest regulation requiring entities who have suffered a cybersecurity incident to promptly notify a government agency. Unlike some of those regulations, this rule is not linked to compromised consumer data.
The rule was initially proposed in January 2021. In the intervening months, both President Biden and Federal Reserve Chair Powell have described cyber-attacks as a major threat to the private and public sectors. In May 2021, President Biden issued an executive order to bolster federal cybersecurity standards. Congress, as part of its annual defense policy bill, is currently
Read the article