On 13 April 2023, the Financial Stability Board (FSB) published a Final Report on recommendations to achieve greater convergence in cyber incident reporting.
The report notes that cyber incidents are rapidly growing in frequency and sophistication. At the same time, the cyber threat landscape is expanding amid digital transformation, increased dependencies on third-party service providers and geopolitical tensions. Recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability, the G20 asked the FSB to deliver a report on achieving greater convergence in cyber incident reporting (CIR).
Drawing from the FSB’s body of work on cyber, including engagement with external stakeholders, the report sets out recommendations that aim to promote convergence among CIR frameworks, while recognising that a one-size fits all approach is not feasible or preferable. Financial authorities and financial institutions (FIs) can choose to adopt these recommendations as appropriate and relevant, consistent with their legal and regulatory framework.
The final report makes the following recommendations:
- Establish and maintain objectives for CIR. Financial authorities should have clearly defined objectives for incident reporting, and periodically assess and demonstrate how these objectives can be achieved in an efficient manner, both for FIs and authorities.
- Explore greater convergence of CIR frameworks. Financial authorities should continue to explore ways to align their CIR regimes with other relevant authorities, on a cross-border and cross-sectoral basis, to minimise potential fragmentation and improve interoperability.
- Adopt common data requirements and reporting formats. Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardised formats for the exchange of incident reporting information.
- Implement phased and incremental reporting requirements. Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control.
- Select appropriate incident reporting triggers. Financial authorities should explore the benefits and implications of a range of reporting trigger options as part of the design of their CIR regime.
- Calibrate initial reporting windows. Financial authorities should consider potential outcomes associated with window design or calibration used for initial reporting.
- Provide sufficient details to minimise interpretation risk. Financial authorities should promote consistent understanding and minimise interpretation risk by providing an appropriate level of detail in setting reporting thresholds, using common terminologies and supplementing CIR guidance with examples.
- Promote timely reporting under materiality-based triggers. Financial authorities that use materiality thresholds should consider fine tuning threshold language, or explore other suitable approaches, to encourage prompt reporting by FIs for material incidents.
- Review the effectiveness of CIR and cyber incident response and recovery (CIRR) processes. Financial authorities should explore ways to review the effectiveness of FIs’ CIR and CIRR processes and procedures as part of their existing supervisory or regulatory engagement.
- Conduct ad-hoc data collection. Financial authorities should explore ways to complement CIR frameworks with supervisory measures as needed and engage FIs on cyber incidents, both during and outside of live incidents.
- Address impediments to cross-border information sharing. Financial authorities should explore methods for collaboratively addressing legal or confidentiality challenges relating to the exchange of CIR information on a cross-border basis.
- Foster mutual understanding of benefits of reporting. Financial authorities should engage regularly with FIs to raise awareness of the value and importance of incident reporting, understand possible challenges faced by FIs and identify approaches to overcome them when warranted.
- Provide guidance on effective CIR communication. Financial authorities should explore ways to develop, or foster development of, toolkits and guidelines to promote effective communication practices in cyber incident reports.
- Maintain response capabilities which support CIR. FIs should continuously identify and address any gaps in their cyber incident response capabilities which directly support CIR, including incident detection, assessment and training on a continuous basis.
- Pool knowledge to identify related cyber events and cyber incidents. Financial authorities and FIs should collaborate to identify and implement mechanisms to proactively share event, vulnerability and incident information amongst financial sector participants to combat situational uncertainty, and pool knowledge in collective defence of the financial sector.
- Protect sensitive information. Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times.