C Spire logo with a blue stylized C symbol

Guide

The 36-hour rule

Here's what banks need to know about cybersecurity notification requirements.

Understanding the 36-hour cybersecurity notification rule for banks

36-hour rule cybersecurity guide image

What banks must report under the 36-hour rule

The financial industry experienced a substantial change in its cybersecurity regulations in 2022. A change that is not entirely understood by those it most impacts: banks and their third-party service providers. Under the 36-hour rule, banks are now required to report any computer-security incident that rises to the level of a notification incident as soon as possible and no later than 36 hours after the bank determines it occurred.

In this guide you’ll learn:

  • Why three federal bank regulators jointly established the rule.
  • What is considered a notification-worthy incident.
  • Seven incidents that fall under the 36-hour rule.

Get the Guide

Fill out the form to download.

Back to Guides