Markets

Banks ordered to promptly flag cybersecurity incidents under new rule

Key Points
  • U.S. banking regulators finalized a rule on Thursday that directs banks to report any major cybersecurity incidents to the government within 36 hours of discovery.
  • The rule stipulates that banks must notify their primary regulator of a significant computer security breach as soon as possible, and no later than 36 hours after its discovery.
Sarayut Thaneerat | Moment | Getty Images

U.S. banking regulators finalized a rule on Thursday that directs banks to report any major cybersecurity incidents to the government within 36 hours of discovery.

The rule stipulates that banks must notify their primary regulator of a significant computer security breach as soon as possible, and no later than 36 hours after its discovery.

Banks also must notify customers as soon as possible of a cybersecurity incident if it results in problems lasting more than four hours.

The new requirement applies to any cybersecurity incidents that are expected to materially impact a bank's ability to provide services, conduct its operations, or undermine the stability of the financial sector. The rule was approved by the Federal Reserve, Federal Deposit Insurance Corporation and Office of the Comptroller of the Currency.

The rule sets explicit expectations on how quickly banks must make cybersecurity breaches known, as regulators look to catch up to the rapidly growing role technology is playing in every type of banking service. Previously, there was no specific requirement for how quickly a bank must report a major computer breach.