These requirements apply to banks, credit unions, and other financial institutions supervised by the Federal Reserve (FRB), Office of the Comptroller of the Currency (OCC), and Federal Deposit Insurance Corporation (FDIC). They are among the most time‑sensitive cyber reporting rules in the federal regulatory landscape.
🛡️ Banking Organization Incident Reporting Requirements
In 2021, the federal banking regulators issued a joint rule—effective May 1, 2022—requiring banking organizations and their critical service providers to report certain computer‑security incidents within tight timeframes. The rule is designed to give regulators early visibility into cyber events that could threaten the safety, soundness, or operational stability of the financial system.
These requirements apply to all banking organizations supervised by the FRB, OCC, or FDIC, including:
- National banks
- State‑chartered banks
- Savings associations
- U.S. branches and agencies of foreign banks
- Bank holding companies
- Savings and loan holding companies
- FDIC‑insured institutions
⭐ 1. 36‑Hour Reporting Requirement for Banking Organizations
Banking organizations must notify their primary federal regulator within 36 hours of determining that a “notification incident” has occurred.
🔍 What is a “Notification Incident”?
A notification incident is a computer‑security incident that has materially affected—or is reasonably likely to materially affect—any of the following:
- The viability of the banking organization
- The ability to deliver banking products and services
- The stability of operations
- The confidentiality, integrity, or availability of critical systems
Examples include:
- Ransomware that disables core banking systems
- Distributed denial‑of‑service (DDoS) attacks causing prolonged outages
- System failures affecting customer account access
- Major third‑party service provider outages
- Cyberattacks that disrupt payment operations
The 36‑hour clock begins once the bank determines that the incident meets the definition—not when the incident first occurs.
⭐ 2. 4‑Hour Reporting Requirement for Bank Service Providers
Critical third‑party service providers (e.g., core processors, cloud providers, payment processors) must notify affected banking organization customers as soon as possible, and no later than 4 hours, after determining that they have experienced a computer‑security incident that has caused—or is likely to cause—a material service disruption.
This ensures that banks can meet their own 36‑hour reporting obligations.
📄 What Must Be Reported?
The rule does not require a detailed forensic report. Instead, regulators expect:
- A brief description of the incident
- The date and time it was discovered
- The systems and operations affected
- Whether the incident is ongoing
- Initial mitigation steps
Banks may provide additional updates as investigations progress.
🧩 How This Differs From Other Financial Sector Rules
The banking regulators’ 36‑hour rule is faster than many other federal requirements, including:
- GLBA FTC Safeguards Rule: 30 days
- SEC Form 8‑K Item 1.05: 4 business days after materiality determination
- CIRCIA (proposed): 72 hours for cyber incidents; 24 hours for ransom payments
It is also separate from state breach notification laws, which focus on consumer notification rather than regulatory reporting.
⚠️ Consequences of Non‑Compliance
Failure to report can lead to:
- Supervisory findings
- Enforcement actions
- Civil monetary penalties
- Heightened regulatory scrutiny
- Potential impacts on safety and soundness ratings