They have just 36 hours.
Banks must report major cyberattacks to regulators within 36 hours if the incident is likely to disrupt their business, according to a new rule from US regulators.
Any “computer security incident” that threatens a lender’s operations, services to customers or the stability of the financial system has to be disclosed to the bank’s primary government watchdog, according to a rule issued on Thursday that is set to go live on May 1.
The regulation, approved by the Federal Reserve and other banking agencies, will also extend to companies that provide services to banks. Those firms will be asked to notify their bank clients as soon as possible when disruptions are expected to affect customers for more than four hours.
Possible examples of incidents that firms should report include large-scale distributed denial of service attacks or a computer hack that knocks out banking operations for more than a brief period, according to the rule from the Fed, Office of the Comptroller of the Currency and Federal Deposit Insurance Corp. The 36-hour clock starts as soon as the bank is aware of an incident, according to the rule.