Home > Legal Updates > Federal government issues new cybersecurity incident reporting rule for banks and bank service providers

Federal government issues new cybersecurity incident reporting rule for banks and bank service providers

Last week, the federal government published a Final Rule imposing new cybersecurity incident notification obligations upon certain banks and bank service providers.

Specifically, banking organizations covered by the Rule must give notice to their primary regulator as soon as possible and not later than 36 hours after determining certain cybersecurity incidents have occurred, even if the banking organization is not aware of any unauthorized access of acquisition of sensitive customer information. Similarly, bank service providers also have a new notification obligation to their bank organization clients.

Click here for more information on what organizations the Rule applies to, examples of incidents that would trigger notification obligations, and insight on next steps banks and service providers should take.