The OCC, Board, and FDIC are issuing a final rule that requires a banking organization to notify its primary Federal regulator of any ``computer-security incident'' that rises to the level of a ``notification incident,'' as soon as possible and no later than 36 hours after the banking organization determines that a notification incident has occurred. The final rule also requires a bank service provider to notify each affected banking organization customer as soon as possible when the bank service provider determines that it has experienced a computer-security incident that has caused, or is reasonably likely to cause, a material service disruption or degradation for four or more hours.