2.4. Early assessment challenges
Due to the ambiguous nature of many cyber incidents in general, the true impact or root cause of the incident may not be known for some time. This makes obtaining relevant cyber incident information in the early phases of the incident a challenge, hindering the ability to assess the impact of an incident. This creates challenges for authorities to coordinate and communicate relevant responses in a timely manner to ensure stability of the financial system. Information often is not communicated in a standard way and different authorities may receive different amounts of information at different times, impacting the ability for authorities to come up with a common operating picture and cohesive policy response. A timely and clear picture of an incident is important for financial authorities as it forms the basis for any policy response; including supervisory responses or in the case of a more material incident, public communication or tools to address potential systemic impacts.
The challenge for FIs is that some cyber incidents are often not easy or straightforward to identify. Detection of an incident may lag significantly after the first occurrence and the extent of the impact may not be obvious at first (e.g. if there is no service down time). Assessing the full extent of the impact of cyber incidents can take a long time and therefore may continue beyond the initial thresholds and reporting requirements. Expectations to complete this type of assessment for reporting purposes early on, while important, add additional stress and diverts resources from focusing on resolving the incident. The resources to analyse the root cause of an incident will vary depending on the complexity of the incident. In the case of an incident initiated for malicious purposes, the instigating party may take steps to obfuscate impact.