Executive summary
Cyber incidents remain a threat to the financial system and are rapidly growing in frequency and sophistication. In light of increasing financial stability concerns, especially given the digitalisation of financial services and increased use of third-party service providers, the Financial Stability Board (FSB) explored whether harmonisation in cyber incident reporting could be achieved.
The FSB found that fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used. This subjects financial institutions that operate across borders or sectors to multiple reporting requirements for one cyber incident. At the same time, financial authorities receive heterogeneous information for a given incident, which could undermine a financial institution's response and recovery actions. This underscores a need to address constraints in information-sharing among financial authorities and financial institutions.
Recognising that information on cyber incidents is crucial for effective actions and promoting financial stability, the FSB identified three ways that it will take work forward to achieve greater convergence in cyber incident reporting:
■ Develop best practices. Identify a minimum set of types of information authorities may require related to cyber incidents to fulfil a common objective (e.g. financial stability, risk assessment, risk monitoring) that authorities could consider when developing their cyber incident reporting regime. This set of information would also help authorities in determining reporting thresholds, timeframes for reporting and notification, while recognising that a one-size-fits-all approach may neither be appropriate nor possible.