On January 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a Notice of Proposed Rulemaking (NPRM) titled Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.
The Proposed Rule would require a “banking organization” to notify its primary regulator no later than 36 hours after reasonably determining that a qualifying incident has occurred, and it would require a “bank service provider” (both terms defined below) to notify a banking organization immediately upon detecting that an incident materially impacting such organization has occurred.
Source: New Proposed Rule Requires Banks to Notify Regulators within 36 Hours – Hogan Lovells Engage