US Banks Will Have 36 Hours to Report Cyberattacks, Regulators Say

As fintech gains a foothold in US banks, regulators are making sure that cybersecurity remains a priority.

US financial regulators have finalized a new rule requiring banking organizations in the country to report all “significant” cybersecurity incidents within 36 hours of their discovery.

It will prompt financial executives to warn the entire financial system of the latest ransomware or DDoS attack, potentially helping preempt similar problems.

The new regulation is further evidence that fintech is taking over in the US banking system — and that the government is hammering out the fine details to keep an eye on it as well.

How the Rule Works

Like all US regulation, this one comes with a deeply specific name no one can remember — “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers” — and is issued by a team of regulatory offices with similarly long names, the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corporation.

Here’s what to know: Before this law, banks had no set window in which to report cyberattacks. Some Capitol Hill proposals suggested a timeline of about 72 hours, while the TSA rules would put it at 12 hours, making the 36-hour mark a compromise between the two.

The initial proposal was in December 2020, so the finalization process took nearly a year.

Bankers Approve

Some banking industry groups have influenced this final bill as well, cutting a clause that would have meant banks needed to report anything that they might “believe in good faith” to be a cybersecurity incident. Now, they just have to report the fully confirmed ones.

“Cyber-incident notification encourages early collaboration between regulators and banks so that regulators are made aware of circumstances that may have broader implications across the financial system while banks work to respond to, and investigate the incident,” said Heather Hogsett, senior vice president for technology and risk strategy at the Bank Policy Institute, which supports the new rule.

The law doesn’t actually go into effect immediately: It’ll be in place no sooner than April 2022, with full compliance required by May 1, 2022.

Once that happens, the impact should be pretty large, with some financial associations estimating the industry sees tens of thousands of cyberattacks on a daily basis.

More Visibility Is Always Good

More data on what ransomware or DDoS attacks look like is always an improvement over less information, and getting the news within a day and a half can definitely make a big difference. Other industries have similar oversight already, like the portal of health industry data breaches operated by the U.S. Department of Health and Human Services.

Ransomware attacks in particular remain a top threat for the banking industry, as they accounted for 81% of financial cyberattacks in 2020 alone. Small businesses in any industry can do their best to avoid reporting any attacks by preventing them in the first place: A good VPN can protect company data by routing it through a secure network to stay anonymous. We recommend the top business VPNs over here.

While no security measures are completely safe, you shouldn’t be waiting on your banking provider to report a cyberattack before taking precautions yourself. Even if those providers will be reporting a lot more quickly once this new rule is in place.

Did you find this article helpful? Click on one of the following buttons
We're so happy you liked! Get more delivered to your inbox just like it.

We're sorry this article didn't help you today – we welcome feedback, so if there's any way you feel we could improve our content, please email us at

Written by:
Adam is a writer at and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and his art history book on 1970s sci-fi, 'Worlds Beyond Time,' is out from Abrams Books in July 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.
Explore More See all news
Back to top
close Step up your business video conferencing with GoToMeeting, our top rated conferencing app – try it free for 14 days Try GoToMeeting Free