Banking Agencies Propose New Reporting Rules for Cyber Incidents


Federal banking agencies are requesting feedback on a joint proposal that would expand and hasten reporting requirements for computer security incidents. The Treasury Department’s Comptroller of the Currency, the Federal Reserve, and the FDIC are seeking to create an “early alert” requirement that covers a wider range of incidents than current regulations cover, and with a tighter timeframe.

An incident requiring notification could include “major computer-system failures, cyber-related interruptions, such as coordinated denial of service and ransomware attacks, or other types of significant operational interruptions.” Banks would need to report an incident no more than 36 hours after they come to “believe in good faith” it has occurred. Bank service providers would have an obligation to “immediately” report such incidents to their bank customers.