top of page



Feds Finalize Bank Security Incident Notification Rule

Rule Addresses Comments from Taproot Security


Saint Paul, MN, November 29, 2021 – US federal regulatory agencies finalized a new rule requiring banks to notify them within 36 hours after confirming a cybersecurity incident. The final rule incorporates some comments from Taproot Security and discusses others. Taproot founder Michael McCormick discussed the rule in a March press release.

The new rule takes effect on April 1, 2022, and banks must fully comply by May 1. The rule only requires them to notify federal regulators  of a cybersecurity incident. They are not required to notify customers or the general public under this rule, but there is legislation pending in Congress to address that.


About Taproot Security


Taproot Security is an information security consulting firm advising industry and government on cyber issues and policy. For more information, please visit




To learn more about this announcement, please contact

Michael McCormick

Founder & President

Taproot Security, LLC


- END -

bottom of page