4.2. Incident reporting to financial authorities
Incident reporting by financial institutions is an important tool for financial authorities as it can provide them with important data and actionable insights to fulfil their objectives, including effectively supervising financial institutions, and monitoring and managing potential financial stability risks.
As discussed in Section 3.3, the CIR Recommendations examine the need for, and usefulness of, cyber-incident reporting for financial institutions. The toolkit in this document is consistent with these recommendations and builds upon them with respect to incidents (including but not limited to cyber-incidents) at third-party service providers that impact their client financial institutions. Like the CIR Recommendations, the toolkit seeks to avoid unnecessary fragmentation in reporting requirements. Financial authorities should refer to the CIR Recommendations for specific recommendations and tools on the reporting of cyber incidents more broadly.
4.2.1. Current practices
In recent years, different regulatory and supervisory practices have emerged, and continue to evolve, in relation to incident reporting to financial and cross-sectoral authorities. As discussed in Section 3.3, in many jurisdictions financial institutions are required to report incidents meeting pre-determined criteria or thresholds, including cyber incidents, to one or more authorities [The CIR recommendations include a description of different types of triggers that FSB members were using in 2022, though incident reporting requirements are being updated in a number of jurisdictions.].
These requirements include incidents linked to a financial institution's third-party service relationships. The CIR Recommendations encourage financial authorities to: