3.2. Supervisory activities and collaboration between authorities
Recommendation 9. Review the effectiveness of CIR and cyber incident response and recovery (CIRR) processes
Financial authorities should explore ways to review the effectiveness of FIs' CIR and CIRR processes and procedures as part of their existing supervisory or regulatory engagement.
Reviews of FIs' CIR processes and procedures may identify potential gaps that could lead to under-, over- or late reporting. Where possible, financial authorities could perform such reviews within their ongoing supervision by including, inter alia:
■ drills and thematic assessments to evaluate FIs' plans and procedures to achieve the required levels of CIR (e.g. standard operating procedure for communication and coordination, clear reporting standards);
■ on-site inspections or independent reviews (e.g. comparing internally logged incidents with notified incidents to the authority, adequate cyber incident response tools);
■ collecting information on cyber incidents from other information sources (e.g. cyber incident reports from other FIs, third parties or other sectors; media reports; other information sharing arrangements).
Cyber security tests and exercises carried out by FIs could also include CIR plans and procedures in order to seek a continuous improvement of their internal capabilities based on the lessons learnt. FIs could also engage an independent party to assess their incident management measures and processes, including procedures for incident escalation and reporting.