Annex 1: Stocktake of authorities' cyber incident reporting regimes
The FSB took stock of authorities' regulatory reporting of cyber incidents by financial institutions (e.g. banks, insurers, asset managers, FMIs). The FSB also had follow-up discussions with financial authorities and engaged with external stakeholders.
Over 80 responses were received from 23 out of 24 FSB member jurisdictions plus the European Union (EU), and 29 members of the six FSB Regional Consultative Groups (RCGs) [See Annex 2 for a list of the authorities that responded to the survey.]. The stocktake focused on: (1) institutional scope of cyber incident reporting from financial institutions; (2) criteria for reporting and characteristics of reportable cyber incidents; (3) usage of reported information by financial authorities; (4) cooperation and coordination among authorities within and across jurisdictions; (5) challenges to implementing cyber incident reporting regimes; and (6) how authorities use the FSB Cyber Lexicon in their policy development and interactions with financial institutions.
1. Institutional scope of cyber incident reporting
Most authorities that responded to the stocktake require financial institutions under their oversight to report cyber incidents but make no distinction between cyber incidents and broader operational incidents for regulatory reporting purposes. As a result, cyber incidents are reported to the relevant financial authorities under the broader operational risk reporting framework as a subset of operational (or information technology/cybersecurity) incidents. Many authorities also issue guidelines or frequently asked questions (FAQs) to clarify the details of their cyber incident reporting requirements.