U.S. federal banking agencies issue rule requiring banks to notify regulators of cyber incidents within 36 hours

November 30, 2021

On November 18, 2021, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation, issued a final rule requiring banking organizations to notify their primary federal regulator of significant computer-security incidents no later than 36 hours after determining the incident has occurred. The rule also requires bank service providers to notify their banking organization customers of any computer-security incident that has caused, or will likely cause, significant disruption. The rule imposes substantial new cyber security reporting requirements on banks with an effective compliance date of May 1, 2022.

Download PDF

Clifford Chance

Briefings

U.S. federal banking agencies issue rule requiring banks to notify regulators of cyber incidents within 36 hours

November 30, 2021

Daniel Silver (He/Him)

Partner

New York

Megan Gordon

Office Managing Partner, Washington, DC

Washington D.C.

Celeste Koeleveld

Partner

New York

Philip Angeloff

Counsel

Washington D.C.

Brian Yin

Associate

Washington D.C.

Daniel
Silver (He/Him)

Partner

New York

Megan
Gordon

Office Managing Partner, Washington, DC

Washington D.C.

Celeste
Koeleveld

Partner

New York

Philip
Angeloff

Counsel

Washington D.C.

Brian
Yin

Associate

Washington D.C.

Toolkits & Client Log-in