2.2. Setting reporting criteria
The process of determining and articulating the point at which a reporting obligation becomes actionable following a cyber incident poses challenges for financial authorities, and hinders convergence in CIR.
First, the calibration of reporting criteria can present practical issues, including:
■ setting reporting criteria which is cause-agnostic (i.e. relevant in all incident circumstances) and proportionate in nature, and therefore applicable to a diverse range of FIs of differing scales, complexity and types;
■ determining an appropriate duration for FIs to fulfil their reporting obligation once it has been triggered;
■ for detection-based triggers, balancing the time (on average) that may require FIs to sufficiently understand the nature of an incident before submitting an initial report, against the financial authority's need to be informed in a timely manner; and
■ for materiality-based triggers, overcoming the inherent difficulty in describing or measuring impact and severity, given the lack of established methodologies to guide financial authorities [FSB (2021), page 3.] and FIs.