Skip to content

New Proposed Rule Requires Banks to Notify Regulators Within 36 Hours of a Cybersecurity Incident

Download Alert Now!

Why This Privacy Law is Important:

This would require a banking organization to notify its primary regulator no later than 36 hours after reasonably determining that a qualifying incident has occurred, and it would require a bank service provider to notify a banking organization immediately upon detecting that an incident occurred.


On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers (Proposed Rule), which would create accelerated notification obligations for banking organizations and bank service providers in the event of a security incident.

Who This Law Applies To:

  • “Banking organizations,” which are defined as: 
    • For the OCC: national banks, federal savings associations, and federal branches and agencies.
    • For the Board: all U.S. bank holding companies and savings and loan holding companies; state member banks; the U.S. operations of foreign banking organizations; Edge and agreement corporations.
    • For the FDIC: all insured state nonmember banks, insured state-licensed branches of foreign banks, and state savings associations.
  • This also applies to bank service providers, which is defined as “a bank service company” or other person providing services to a banking organization that is subject to the Bank Service Company Act.

Download the Privacy Alert to the right to get the full text and expert analysis!