Skip to main content
Version date: 19 October 2021 - onwards

3. Information-sharing related to cyber incidents

Fragmentation in cyber incident reporting is often the result of differences in the relevant authorities' mandates, for example between prudential and other types of authorities. Moreover, many financial institutions are subject to supervision by multiple regulators. Enhanced information-sharing arrangements would help to reduce fragmentation in cyber incident reporting and promote a common understanding of the risk to the financial institution and financial system.

While many financial authorities have formal or informal information-sharing arrangements with one or more authority outside their jurisdiction [Authorities may also have information-sharing arrangements with cyber security or data privacy agencies within the same jurisdiction.], there are substantial differences in the scope, depth and the form of such information-sharing across jurisdictions and sectors. This is often due to legal and confidentiality constraints as well as lack of clarity on the information that could be shared. Improvements in cooperation can be made through written cooperation arrangements between regulators, which cover timely notification and communication among authorities as well as cooperation in response and mitigation activities. Developing a better understanding of the possible systemic impacts of cyber incidents on financial institutions that operate in different jurisdictions would help authorities better understand what types of information is needed and more easily identify other authorities with whom the information should be shared.