Home > Legal Updates > Federal government issues new cybersecurity incident reporting rule for banks and bank service providers

Federal government issues new cybersecurity incident reporting rule for banks and bank service providers

On November 19, 2021, the federal government published a Final Rule (“Rule”) imposing new cybersecurity incident notification obligations upon certain banks and bank service providers. Specifically, banking organizations covered by the Rule must give notice to their primary regulator as soon as possible and not later than 36 hours after determining certain cybersecurity incidents have occurred, even if the banking organization is not aware of any unauthorized access of acquisition of sensitive customer information. Similarly, bank service providers also have a new notification obligation to their bank organization clients. Discussion of the Rule and how to prepare for it follows. Read more…