Bank breach reporting rules in the United States go into effect on May 1

Banks have to inform regulators about cyber incidents within the first 36 hours in the U.S. After the enterprise suffers a certified ‘computer security incident.’ Therefore, new rules came into effect on May 1 in the U.S., passed by a community of U.S regulators, including Federal Deposit Insurance Corp., the Board of Governors of the Federal Reserve System, and the office of the auditor of the currency. The regulation was first adopted in November 2021.

Senior Vice President of Strategy Engagements and threats at cybersecurity AI firm Darktrace Marcus Fowler told the information security media group that; banking and institutions, which are the foundation of the U.S economy, are one of the most harassed by global cyber adversaries. 

Also, he stated, ‘This regulation is essential as timely notification plays an important role in limiting the attacks’ scale, mainly for the organizations which depend upon the threat intelligence for protective capability.’

Many cybercriminals carry out attacks as part of more extensive campaigns, such as executing supply chain attacks that affect dozens of victims. However, supply chain attacks are mostly industry basic because of dependence on the same software or distributor for business operations. 

In addition, attackers generally accelerate their offensive processes to expose as many victims as possible. Before the protector can put a patch in place or distribute a settlement mark after the campaign is determined’ says Fowler. He also adds that quick reporting of beaches might help similar institutions from getting oppressed. However, it is a new requirement from the FDIC and other regulators.

Most U.S banks have been subject to a 72-hour incident reporting rule through the New York Department of Financial Services cybersecurity regulation, says Gary Brickhouse, the chief information security officer(CISO) of GuidePoint Security.

Brickhouse also says that “FDIC has validated the modesty of the notification process as it has ‘set forth no particular content or format.’ However, the reporting time of 36 hours is a smaller window than most familiar ones. In addition, you have a real rather than a potential security incident by starting the 36-hour notification clock after you have been purposeful.

Describing a Computer Security Incident

As per Brickhouse, the rule seems to be easy. However, the more challenging part is how the FDIC describes the notification incident. In the 80-page-long draft rule, government agencies stated this correctly.

A computer-security incident is an incident that results in genuine harm to the confidentiality, integrity, or attainability of an information system. Or the information that the system exercises, stores, or conveys.

As per the agencies, the incident requiring the subsequent notification interprets as a ‘computer-security incident’. That has agitated or demeaned a banking organization’s operations. And its capability to deliver services to a “material segment of its customer base” and business lines.

Agencies listed the following incidents as notifications based on the evaluative data and apprehensive activity reports. Also, categorize them with the Treasury Department’s Financial Crimes Enforcement Network in 2019 and 2020.

  • Ransomware attacks that coded the core banking system or backup data.
  • Bank Service provider encountering extensive system blackout.
  • Breakdown in the upgrading of the system resulting in extensive user blackout.
  • Computer hacking event disabling banking operations for an extensive period.
  • Incurable system failure results in the exhilaration of a continuity or disaster recovery aim.
  • The presence of malware on a bank’s network that threatens core operations
  • Expanded DDoS attacks are disturbing account access for more than 4 hours.


The agencies give detailed guidance for regulated banking institutions to follow while describing the cybersecurity events on March 29, 2022.

FDIC Incident Reporting Information

FDIC administers banks can observe the rule by reporting an incident to the case manager, who distributes as a primary FDIC contact for executive-linked matters, or to any member of an FDIC examination team if the event takes the place of examination. However, if the bank cannot access these directorial team contacts, the bank will notify via email at

Federal Reserve Incident Reporting Information

The primary federal regulator of the banking institutions is the Board of Governors of the Federal Reserve System. Should notify the board about a notification incident by sending an email to or by calling 866-364-0096. However, for banks that are unsure whether they need to inform the board or not. The committee encourages them to contact it via telephone or email.

OCC Incident Reporting Information 

A bank must inform the OCC after it governs that the notification has taken place. Therefore, the bank may email/call its administrative office to satisfy this need.

36 Hour timeline is reasonable or not.?

As per the president of the strategy at Tripwire, Quick reporting has its pros and cons. Most organizations are still finding out the scale and impact of security incidence after 36 hours. As per the Chief Security scientist at cyber security Joseph Carson this is almost notification without determining the primary cause. 

Also, he said that it would likely increase the load on incident responders to try and discover patient zero. Also, the leading cause with the actual scale and impact of security incidence as fast as possible. So, therefore, increasing the resources they need for event response.

Chris Hauk, a consumer privacy expert at Pixel privacy, says that the 36-hour time frame is exceptionally resilient on banks, mainly smaller institutions. However, they are not sure that particular cyberattacks meet the necessary reporting. 

Also, Hauk says that it is helpful for the long term. It is because it contains at least some of the damage by making a brief report to the government. However, by seeing these reports, governmental agencies might be bewildered, as organizations may err on caution and report every attack.

Same deadlines should be there in all sectors.

According to the latest CERT, notice is six hours, and businesses and organizations are now being mandated to stick to less reporting timelines- 36 hours, 48 hours, 72 hours.

As per Hauk, the government needs to enlarge the reporting rules to other sectors. Like pipeline management, energy companies, and sensitive industries. The rise in cyber-attacks is because of the Russia-Ukraine war. Therefore, the government is taking action to allow quick response times. It will give breathing room to incident responders. However, reacting and protecting other industries in time requires the government itself.

The Financial Services sector is thoroughly digitized and integrated. Therefore, making it the primary target for those looking to disturb the particular institution. By applying the rule, FDIC, OCC, and the Fed influence cybersecurity practices across various sectors that depend on our financial system’s well-organized operation, Tim Mackey, principal security strategist at Synopsys cybersecurity Research center.

Related Posts

Data Sheet – ESOF Prediction Solution Brief



Survey Report

The Future of Risk
and Vulnerability Management!

Switch to Next Generation
Vulnerability Management - ESOF

Contact Us

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Download Case Study

    Data Sheet – ESOF AppSec

    Data Sheet – ESOF VMP

    Data Sheet – ESOF VMDR