US federal bank regulatory agencies have approved a new rule ordering banks to notify their primary federal regulators of significant computer-security incidents within 36 hours.
Banks are only required to report major cyberattacks if they have or will likely impact their operations, the ability to deliver banking products and services, or the US financial sector’s stability.
Bank service providers will also have to notify customers “as soon as possible” if a cyberattack has materially affected or will likely affect the customers for four or more hours.
Examples of incidents that need to be reported under the new rule include large-scale distributed denial of service attacks that disrupt customer account access to banking services or computer hacking incidents that takedown banking operations for extended periods of time.