On 1/12/21, the joint regulators (OCC, Fed, & FDIC) published a proposal in the Federal Register that would require banks to provide their primary federal regulator with prompt notification of any “computer-security incident” that rises to the level of a “notification incident.” The proposed rule would require such notification upon the occurrence of a notification incident as soon as possible and no later than 36 hours after the banking organization believes in good faith that the incident occurred. This notification requirement is intended to serve as an early alert to a banking organization's primary federal regulator and is not intended to provide an assessment of the incident.
The full proposal can be found here.