On 19 October 2021, the Financial Stability Board (FSB) published a report exploring whether greater convergence in the reporting of cyber incidents is achievable in light of increasing financial stability concerns, especially given the digitalisation of financial services and increased use of third party service providers.
The FSB found that fragmentation exists across sectors and jurisdictions in relation to:
- the scope of what should be reported for a cyber-incident;
- methodologies to measure severity and impact of an incident;
- timeframes for reporting cyber incidents; and
- how cyber incident information is used.
This could undermine a financial institution’s response and recovery actions and highlights a need to address constraints in information-sharing for financial authorities and institutions.
The FSB has identified three ways to achieve greater convergence:
- Develop best practices. Identifying a minimum set of information related to cyber incidents that financial authorities may require to promote financial stability.
- Identify common types of information to be shared. Helping authorities better understand the impacts of a cyber incident across sectors and jurisdictions and better understand any legal and operational impediments to sharing such information.
- Create common terminologies for cyber incident reporting. Further work on cyber incidents will be underpinned by a common language, including a common definition for ‘cyber incident’.
The FSB will develop detailed timelines and modalities for taking this work forward by the end of 2021.