4. Conclusions
Achieving greater convergence in cyber incident reporting is not straightforward. Jurisdictional differences will remain, such as reporting to national security and data protection agencies. Recognising that there are a number of impediments, including cross-sectoral considerations, that make convergence in cyber incident reporting regimes particularly challenging, due consideration should be taken in any approach that tries to address fragmentation in cyber incident reporting and avoid creating new fragmentation.
Further, confidentiality, privacy and other legal constraints, as well as other practices may constrain the ability for authorities to share information, even within the same jurisdiction. There also may be a lack of clarity on what and how information could be shared over a secure platform. Moreover, there is often not a strong incentive at an individual level to share information, even if it is in the collective interest of the relevant stakeholders.
Against this backdrop, the FSB has identified three ways to achieve greater convergence in cyber incident reporting, which would facilitate information-sharing across jurisdictions and sectors:
■ Develop best practices. Identify a minimum set of types of information authorities may require related to cyber incidents to fulfil a common objective (e.g. financial stability, risk assessment, risk monitoring) that authorities could consider when developing their cyber incident reporting regime. This set of information would also help authorities in determining reporting thresholds, timeframes for reporting and notification, while recognising that a one-size-fits-all approach may neither be appropriate nor possible.