In response to increasingly frequent and sophisticated cybersecurity attacks on banks and bank service providers, the federal prudential banking regulators—the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System, and the Federal Deposit Insurance Corporation (FDIC)—have adopted a new rule that requires banks to report cyber incidents to their primary regulator. The rule further requires bank service providers to notify affected banks as soon as possible after determining a computer-security incident has materially disrupted or degraded, or is reasonably likely to materially disrupt or degrade, services provided to banks for four or more hours.
