Cyber Incident Reporting Requirements & Notification Timelines for Financial Institutions

Congress is considering legislation to require the private sector to report cyber “incidents” to the government with the stated goal of improving broader awareness across the government of cybersecurity attacks and threat identification. The banking/financial services sector is one of the few critical infrastructure sectors that has had mandatory cybersecurity and incident reporting requirements in law and regulation for over 20 years. As a result, it is important to ensure that any new requirements are harmonized and align with existing requirements for financial firms. The sector can offer best practices on how to structure and achieve more effective outcomes. In addition to reporting from the private sector, it is critical that federal agencies and independent regulatory bodies also report incidents. A number of government entities hold sensitive information on businesses and consumers and should be required to report cyber incidents and notify an entity or individual whose information may be affected by a breach. The following is a snapshot of the main banking/financial services requirements; a myriad of others exist as well. 

U.S. Federal Banking / SEC Requirements

1. Gramm-Leach-Bliley Act (GLBA). 

Under the GLBA and its implementing regulations[1], cyber incident reporting is triggered when a financial institution becomes aware of unauthorized access to sensitive customer information that is, or is likely to be, a misuse of the customer’s information. To ensure adherence to these requirements, regulators conduct ongoing and rigorous reviews of institutions’ operating and governance processes, including data security and data handling processes and third-party risk management measures. Failure to report incidents and adhere to these requirements could result in serious enforcement measures including mandatory corrective action directives, restrictions on activities and fines.

  • Reporting Timeline – as soon as possible once the institution determines unauthorized access occurred.
  • Definitions – A cyber incident is defined as unauthorized access to sensitive customer information. 
  • Scope of Reporting – Covers nonpublic customer information such as personally identifiable financial information, financial transaction information, income and credit rating data, etc.
  • Reporting Mechanism – Report provided to regulators; information becomes part of ongoing regulatory oversight/examinations. 

2. Notice of Proposed Rulemaking (NPR) from OCC/Federal Reserve/FDIC. 

On Jan. 12, 2021, the OCC, the Board of Governors of the Federal Reserve System (Board), and the FDIC published a proposed rule on “Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers.” Under the proposal, incident notification would be triggered after the determination by a banking organization that a computer-security incident has occurred that the bank believes in good faith could cause significant disruption to the institution’s operations and ability to deliver products and services to a significant portion of its customers or could pose a risk to the financial stability of the United States.

  • Reporting Timeline – as soon as possible but no later than 36 hours from the determination that an event has crossed the notification incident threshold
  • Definitions – A computer security incident is defined as an occurrence that jeopardizes confidentiality, integrity or availability of an information system or the information a system processes, stores, or transmits[2]; a notification incident is defined as a significant computer security incident that could jeopardize the viability of the operations of a financial institution, prevent customers from accessing their deposit and other accounts, or impact the stability of the financial sector.
  • Scope of Reporting – covers nonpublic customer information and information technology systems[3].
  • Reporting Mechanism – Notification to be provided to the primary federal regulator; intended to provide early awareness of emerging threats to individual institutions and potentially the broader financial system.

3. 2018 Securities & Exchange Commission (SEC) Guidance on Public Company Cybersecurity 10- Q, 10-K and 8-K Disclosures. 

On Feb. 26, 2018, the SEC released a clarification to earlier 2011 general disclosure guidance that warned public companies that cyber incidents may have to be reported through public disclosures. The clarification guidance effectively puts public companies on more stringent notice with regard to breach notification practices and requires reporting of material cyber incidents and their potential security risks within quarterly, yearly and, if needed, current filings.

  • Reporting Timeline – Dependent on the materiality of a given incident in relation to the timing of the preparation and release of a periodic disclosure filing, but states that it is critical that public companies take all required actions to inform investors about materialcybersecurity risks and incidents in a timely fashion.
  • Scope of Reporting – Covers all material cybersecurity incidents and associated potential security risks.
  • Reporting Mechanism – Notification to be provided through investor disclosures (10-Q,   10-K and 8-K if necessary).

European Union Requirements

4. European Union General Data Protection Regulation (GDPR). 

GDPR sets specific privacy parameters for use, data security and handling of consumer data. 

  • Reporting Timeline – not later than 72 hours after becoming aware of the breach
  • Definitions – A “data breach” is defined as “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
  • Scope of Reporting – Personal data[4]
  • Reporting Mechanism – Entities report to the agency designated by each Member state, which then notifies other Member states as needed. 

5. European Union NIS Directive 1.0: 

In 2016, the EU mandated cyber incident reporting for all sectors defined under the term Essential Services which is like the U.S. term of Critical Infrastructure. However, the EU has both mandatory security mandates on Digital Service Providers and stricter reporting requirements on DSPs[5]. The EU is in the midst of updating the NIS Directive 2.0 where notification must occur with any event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the related services offered by, or accessible, via network and information systems. 

  • Reporting Timeline – 24 hours from when an entity is aware of an incident, and then a report 30 days later. 
  • Definitions – An incident means any event having an actual adverse effect on the security of network and information systems.[6]
  • Scope of Reporting – The Directive does not define the threshold of what is a significant incident requiring notification to the relevant EU Member state national authority and defines three parameters for reporting: number of users affected; duration of incident; geographic spread. DSPs have five requirements that are broader. 
  • Reporting Mechanism –Entities report to the agency designated by each Member state.

State Requirements

6. New York Department of Financial Services (NYDFS) Cybersecurity Regulation. 

The NYDFS regulations[7] became effective on March 1, 2017, and add another layer of mandatory cybersecurity reporting requirements for financial services companies. A financial institution must notify NYDFS when a cyber event triggers reporting to any other government body, regulatory or self-regulatory agency. Notification is also triggered if there is a reasonable likelihood of material harm to the institution’s operations.

  • Reporting Timeline – 72 hours from the determination that a cyber event has occurred.
  • Definitions – A cyber event is defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an information system or information stored on an information system.
  • Scope of Reporting – Covers nonpublic customer information and information technology systems[8]
  • Reporting Mechanism – Report provided to NYDFS; information becomes part of ongoing regulatory oversight

7. State Data Breach Notification Requirements. 

All 50 states have codified a version of a consumer data breach notification statute[9], which contains provisions intended to protect against unauthorized access of computerized data and personal information. The statutes generally also require notification to affected residents of the state whose personal information was or is reasonably believed to have been compromised. In most cases, the statute also requires notice in varying combinations to the state’s Attorney General, state law enforcement and credit reporting agencies. Although in many states financial institutions are statutorily exempted or deemed in compliance due to their existing compliance with federal standards like GLBA, federal banking regulatory guidance, or in some cases, by operation of their supervision by a federal entity, the exemption provides little relief. Still, many financial institutions purposefully do not avail themselves of the state exemption and notify throughout the relevant state executive structure to avoid being penalized for inadvertent nondisclosure. 

  • Reporting Timelines – Varies by state, ranging from “within the most expedient time possible and without unreasonable delay…” to “72 hours from the determination that a cyber event has occurred…”
  • Definitions – Varies by state.
  • Scope of Reporting – Varies by state but generally covers unauthorized access of personal information
  • Reporting Mechanisms – Varies by state, but nearly always requires notice to affected residents of the state, and generally some combination of the state Attorney General, state law enforcement, and credit reporting agencies. It can also occasionally require notice to subordinate state regulatory offices as directed by the state legislature or state executive.

Other Requirements and Model Legislation

8. National Association of Insurance Commissioners (NAIC) Model Law. 

Insurance is a state-regulated business model overseen by the insurance commissioners of the 50 states. Financial institutions with insurance subsidiaries must operate within these 50 jurisdictions under the rules of the several states in which they provide insurance products. The National Association of Insurance Commissioners (NAIC) developed a cybersecurity framework model law that guides states in adopting their own statutes on cyber incident notification. The model law is not binding until adopted by an individual state; states are free to modify or decline to adopt any aspect or provision of the model law through their state legislative process. As of July 2021, less than 20 states have adopted the model law in whole or part, but its framework is under active consideration in many more.

  • Reporting Timelines – Under the language of the model law, notification is to be made as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred. However, adopting states are free to, and do, vary their reporting timelines.
  • Definitions – A cybersecurity event means an event resulting in unauthorized access to, disruption or misuse of, an Information System or information stored on such an Information System. An Information System means a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.
  • Scope of Reporting – Under the language of the Model Law, covers information systems and information stored on information systems.
  • Reporting Mechanisms – Under the language of the Model Law, notification is made to the state insurance commissioner and affected consumers as directed by the adopting state’s data breach notification law.

Key Definitions

Systemically Important Financial Institutions

Congress is also considering creating a new definition for critical infrastructure, “Systemically Important Critical Infrastructure (SICI),” modeled after the financial designation of Systemically Important Financial Institutions (SIFI). Under Section 113 of the Dodd-Frank Act, a financial institution may be named a SIFI if the nature, scope, size, scale, concentration, interconnectedness, or mix of its activities could pose a threat to U.S. financial stability. The designation is made by the Financial Stability Oversight Council[10] and subjects institutions to enhanced regulatory standards.

Information Technology Systems

NIST defines an information technology system as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”[11]


[1] Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. See https://www.federalregister.gov/documents/2005/03/29/05-5980/interagency-guidance-on-response-programs-for-unauthorized-access-to-customer-information-and

[2] This definition is taken from NIST which states a computer security incident is “an occurrence that results in actual or potential jeopardy to the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.” See NIST, Computer Security Resource Center, Glossary https://csrc.nist.gov/glossary/term/Computer_Security_Incident

[3] The NPR does not define information technology systems.

[4] Personal data is under GDPR here: https://gdpr-info.eu/art-4-gdpr/

[5] Essential Services are defined by the EU in the NIS Directive and were implemented in 2016. See: https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[6] For definition of “incident,” see https://eur-lex.europa.eu/eli/dir/2016/1148/oj

[7] See New York Codes, Rules and Regulations (23 NYCRR 500). https://govt.westlaw.com/nycrr/Browse/Home/NewYork/NewYorkCodesRulesandRegulations?guid=I5be30d2007f811e79d43a037eefd0011&originationContext=documenttoc&transitionType=Default&contextData=(sc.Default)

[8] Defined as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.”

[9] See Sample of Cyber-Incident Notification Requirements

[10] For more information on FSOC see https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/about-fsoc

[11] See https://csrc.nist.gov/glossary/term/information_system.