US regulators have approved a new rule that requires banks to report any "significant" computer security incident within 36 hours of discovering it.
Banks must inform their primary federal regulator within the timeframe for incidents that have materially affected — or are reasonably likely to materially affect — the viability of their operations, their ability to deliver products and services, or the stability of the financial sector.
In addition, banks must notify customers as soon as possible if the incident has, or is reasonably likely to, materially affected these users for four or more hours.
Banks have to be compliant with the rule - which has been approved by the Federal Reserve, FDIC and OCC - by 1 May 2022.