2. Fragmentation in cyber incident reporting
There are many common elements in cyber incident reporting across jurisdictions and sectors. This includes the date and time of the incident; impact of the incident on customers, reputation and financials; date and how the incident was identified (e.g. by a customer, employee, third-party service provider) and cause of the incident. Notwithstanding these commonalities, there are significant differences in: how a cyber incident is defined; thresholds for reporting cyber incidents, definitions of materiality; how incident information is used; and the timeframe for reporting an incident. These differences are elaborated below, and result in fragmentation in the reporting of cyber incidents. In particular, financial institutions that operate across jurisdictions and sectors are subjected to multiple reporting requirements for one incident. At the same time, financial authorities receive heterogeneous information for a given cyber incident which impacts their assessment of the risk to the financial institution and financial system.
■ Scope of cyber incident reporting'. The scope of 'cyber incidents' required to be reported by financial institutions to financial authorities varies across jurisdictions and sectors. For example, some authorities do not distinguish between broader operational incidents and cyber incidents or define a 'cyber incident' more broadly than others, often using it interchangeably with a 'cyber event', which is generally associated with 'any observable occurrence in an information system'. This may lead to excessive notification and reporting of incidents that can usually be managed by financial institutions.