Guide

The 36-Hour Rule

What banks need to know about cybersecurity notification requirements

Guide

The 36-Hour Rule

What banks need to know about cybersecurity notification requirements

Guide

The 36-Hour Rule

What banks need to know about cybersecurity notification requirements

The financial industry experienced a substantial change in its cybersecurity regulations in 2022. A change that is not entirely understood by those it most impacts: banks and their third-party service providers. Under the 36-hour rule, banks are now required to report any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the bank determines it occurred.

In this guide you’ll learn:

  • Why three federal bank regulators jointly established the rule.
  • What is considered a notification-worthy incident.
  • Seven incidents that fall under the 36-hour rule.

The financial industry experienced a substantial change in its cybersecurity regulations in 2022. A change that is not entirely understood by those it most impacts: banks and their third-party service providers. Under the 36-hour rule, banks are now required to report any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the bank determines it occurred.

In this guide you’ll learn:

  • Why three federal bank regulators jointly established the rule.
  • What is considered a notification-worthy incident.
  • Seven incidents that fall under the 36-hour rule.

Get the free resource

Get the free resource

arrow down