Cyber Incident Reporting Requirements & Notification Timelines for Financial Institutions

Congress is currently drafting legislation to require the private sector to report cyber “incidents” to the government with the stated goal of improving broader awareness across the government of cybersecurity attacks and threat identification.  The banking/financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. As a result, it is important to ensure that any new requirements are harmonized and align with existing requirements for financial firms. The sector can also offer best practices on how to structure and achieve more effective outcomes.  The following is a snapshot of the main banking/financial services requirements; a myriad of others exist as well.  

1. Gramm-Leach-Bliley Act (GLBA). 

Under the GLBA and its implementing regulations[1], cyber incident reporting is triggered when a financial institution becomes aware of unauthorized access to sensitive customer information that is, or is likely to be, a misuse of the customer’s information. Notification to regulators is required as soon as possible after the institution determines that misuse of customer data has occurred or is reasonably possible (e.g. at the start of an investigation to determine the likelihood that the information has been or could be misused). To ensure adherence to these requirements, regulators conduct ongoing and rigorous reviews of institutions’ operating and governance processes, including data security and data handling processes and third-party risk management measures. Failure to report incidents and adhere to these requirements could result in serious enforcement measures including mandatory corrective action directives, restrictions on activities, and fines.

Reporting Timeline – as soon as possible once the institution determines unauthorized access occurred. 

Definitions – A cyber incident is defined as unauthorized access to sensitive customer information. 

Scope of Reporting – Covers non-public customer information such as personally identifiable financial information, financial transaction information, income, and credit rating data, etc.

Reporting Mechanism – Report provided to regulators; information becomes part of ongoing regulatory oversight/examinations. 

2. New York Department of Financial Services (NYDFS) Cybersecurity Regulation. 

The NYDFS regulations[2]  became effective on March 1, 2017 and add another layer of mandatory cybersecurity reporting requirements for financial services companies. A financial institution must notify NYDFS when a cyber event triggers reporting to any other government body, regulatory or self-regulatory agency. Notification is also triggered if there is a reasonable likelihood of material harm to the institution’s operations. Once a triggering event has occurred, notification must occur as promptly as possible, but not later than 72 hours from the determination that a cybersecurity event has occurred. 

Reporting Timeline – 72 hours from the determination that a cyber event has occurred.

Definitions – A cyber event is defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system.

Scope of Reporting – Covers non-public customer information and information technology systems[3]

Reporting Mechanism – Report provided to NYDFS; information becomes part of ongoing regulatory oversight

3. European Union General Data Protection Regulation (GDPR). 

In the case of a personal data breach, notification is required without undue delay and, where feasible, not later than 72 hours after having become aware of it. GDPR sets specific privacy parameters for use, data security, and handling of consumer data.  

Reporting Timeline – 72 hours

Definitions – A “data breach” is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Scope of Reporting – Personal data[4]

Reporting Mechanism – Entities report to the agency designated by each Member state, which then notifies other Member states as needed. 

4. European Union NIS Directive 1.0:

In 2016, the EU mandated cyber incident reporting for all sectors defined under the term Essential Services which is like the U.S. term of Critical Infrastructure. However, the EU has both mandatory security mandates on Digital Service Providers and stricter reporting requirements on DSPs[5]. The EU is in the midst of updating the NIS Directive 2.0 where notification must occur with any event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of the related services offered by, or accessible via, network and information systems. 

Reporting Timeline – 24 hours from when an entity is aware of an incident, and then a report 30 days later. 

Definitions – An incident means any event having an actual adverse effect on the security of network and information systems.[6]

Scope of Reporting – The Directive does not define the threshold of what is a significant incident requiring notification to the relevant EU Member state national authority and defines 3 parameters for reporting: number of users affected; duration of incident; geographic spread. DSPs have 5 requirements that are broader. 

Reporting Mechanism – Entities report to the agency designated by each Member state.

5. Notice of Proposed Rulemaking (NPR) from OCC/Federal Reserve/FDIC.

On Jan. 12, 2021, the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), and the Federal Deposit Insurance Corporation (FDIC) published a proposed rule on “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” Under the proposal, incident notification would be triggered after the determination by a banking organization that a computer-security incident has occurred that the bank believes in good faith could cause significant disruption to the institution’s operations and ability to deliver products and services to a significant portion of its customers or could pose a risk to the financial stability of the United States. Upon determining that an event has reached the notification incident threshold, a banking organization would be required to notify as soon as possible but no later than 36 hours.

Reporting Timeline – 36 hours after a good faith belief that a notification incident has occurred.

Definitions – A computer security incident is defined as an occurrence that jeopardizes confidentiality, integrity or availability of an information system or the information a system processes, stores, or transmits[7]; a notification incident is defined as a significant computer security incident that could jeopardize the viability of the operations of a financial institution, prevent customers from accessing their deposit and other accounts, or impact the stability of the financial sector.

Scope of Reporting – covers non-public customer information and information technology systems[8].

Reporting Mechanism – Notification to be provided to primary federal regulator; intended to provide early awareness of emerging threats to individual institutions and potentially the broader financial system. 

Key Definitions: 

Systemically Important Financial Institutions

Congress is also considering creating a new definition for critical infrastructure, “Systemically Important Critical Infrastructure (SICI),” modeled after the financial designation of Systemically Important Financial Institutions (SIFI). 

Under Section 113 of the Dodd-Frank Act, a financial institution may be named a SIFI if the nature, scope, size, scale, concentration, interconnectedness, or mix of its activities could pose a threat to U.S. financial stability. The designation is made by the Financial Stability Oversight Council[9] and subjects institutions to enhanced regulatory standards.

Information Technology Systems

NIST defines an information technology system as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”[10]


[1] Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. See https://www.federalregister.gov/documents/2005/03/29/05-5980/interagency-guidance-on-response-programs-for-unauthorized-access-to-customer-information-and  

[2] See New York Codes, Rules and Regulations (23 NYCRR 500). https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

[3] Defined as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”

[4] Personal data is under GDPR here: https://gdpr-info.eu/art-4-gdpr/

[5] Essential Services are defined by the EU in the NIS Directive and was implemented in 2016. See: https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[6] For definition of incident, see https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[7] This definition is taken from NIST which states a computer security incident is “an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. See NIST, Computer Security Resource Center, Glossary https://csrc.nist.gov/glossary/term/Computer_Security_Incident

[8] The NPR does not define information technology systems.

[9] For more information on FSOC see https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/about-fsoc

[10] See https://csrc.nist.gov/glossary/term/information_system