Banks are now required to notify their main federal regulator of all major cybersecurity incidents within 36 hours of discovery. They must also notify customers if the incident could affect them for a minimum of four hours.
- Major cybersecurity incidents are defined as anything that threatens the U.S. financial sector or prevents a bank from carrying out its operations.
- The Federal Reserve, Federal Deposit Insurance Corporation, and Office of the Comptroller of the Currency approved the new requirements.
- The rules only apply to banks that are regulated by these three authorities.
- The rules will go into effect on April 1, 2022, and banks must comply by May 1, 2022.