Industry won some concessions in the final version of the rule, which banks must comply with by May.

The banking groups say they support the rule's policy goals, but want to alter its reporting threshold.

The rule requires financial services companies to notify regulators within 36 hours of a major cyber incident, but that's just for starters.

FDIC’s Howard Whyte and RedSeal’s Wayne Lloyd detail how network modeling of cloud and on-premise infrastructure help CIOs and security teams mitigate risk.

Three professional associations for bean-counters argue that any regulation should only set high-level principles or flexible frameworks — not specific or prescriptive rules which might be duplicative and could become quickly outdated as hacker threats evolve.