Federal bank regulatory agencies announced the approval for a final rule that will require a banking organization to report “any significant computer-security incident” as soon as possible and no later than 36 hours after the banking organization determines that a cyber incident has occurred to its primary federal regulator. The rule will also require bank service providers to notify its customers as soon as possible when the provider determines that it has experienced a computer-security incident that has materially affected or is reasonably likely to materially affect banking organization customers for four or more hours. Compliance with the final rule is required by May 1, 2022.

Link to Rule