Skip to main content
Version date: 4 December 2023 - onwards

3.3. Incident reporting to financial institutions

Financial institutions are generally required to identify and remediate incidents [The use of the term "incident" is intended to be inclusive of, and thematically consistent with, the FSB's definition of cyber incident: An [an observable occurrence] that adversely affects the [the preservation of the confidentiality, integrity and availability] of an information system or the information the system processes, stores or transmits whether resulting from malicious activity or not. The term "incident" in the document is not limited to cyber incident but captures a wider scope relevant to third-party risks.] and may be required to report relevant incidents to financial authorities within a defined period of time. The scope of these incidents may include incidents affecting a third-party service or service provider on which the financial institution relies. Accurate and early assessments of incidents can be difficult if third-party service providers do not share relevant incident information with financial institutions in a timely manner, notwithstanding service providers' efforts to remediate the incident. The FSB's Recommendations to Achieve Greater Convergence in Cyber Incident Reporting (CIR Recommendations) [At the request of the G20, the FSB has published in April 2023 Recommendations to Achieve Greater Convergence in Cyber Incident Reporting, which sets out recommendations that aim to promote convergence among CIR frameworks for financial institutions, while recognising that a one-size-fits-all approach is not feasible or preferable. The CIR Recommendations include extensive discussions of cyber incidents impacting third-party service providers to regulated financial institutions.] emphasise the need to balance timely reporting with remediating operational challenges that could detract from incident response.