The interconnectedness of the global financial system makes it possible that a cyber incident at one financial institution (or an incident at one of its third-party service providers) could have spill-over effects across borders and sectors.

Cyber incidents are rapidly growing in frequency and sophistication. At the same time, the cyber threat landscape is expanding amid digital transformation, increased dependencies on third-party service providers and geopolitical tensions.

Recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability, the G20 asked the FSB to deliver a report on achieving greater convergence in cyber incident reporting (CIR).

Drawing from the FSB’s body of work on cyber, including engagement with external stakeholders, the report identifies commonalities in CIR frameworks and details practical issues associated with the collection of cyber incident information from FIs and the onward sharing between financial authorities. These practical issues include:

  1. operational challenges arising from the process of reporting to multiple authorities;

  2. setting appropriate and consistent qualitative and quantitative criteria/thresholds for reporting;

  3. establishing an appropriate culture to report incidents in a timely manner;

  4. inconsistent definitions and taxonomy related to cyber security;

  5. establishing a secure mechanism to communicate on cyber incidents; and

  6. legal or confidentiality constraints in sharing information with authorities across borders and sectors.

This report sets out 16 recommendations to address these issues with a view to promote best practices in cyber incident reporting.

Recommendations mapped to identified issues and challenges
  Identified issues and challenges: Operational challenges Setting reporting criteria Culture of timely reporting Early assessment challenges Secure communications Cross-border and cross-sectoral issues
A Design of CIR Approach            
1 Establish and maintain objectives for CIR Significant          
2 Explore greater convergence of CIR frameworks Moderate       Significant Significant
3 Adopt common data requirements and reporting formats Profound   Moderate Moderate    
4 Implement phased and incremental reporting requirements Minor   Significant Significant    
5 Select appropriate incident reporting triggers   Profound        
6 Calibrate initial reporting windows   Profound        
7 Provide sufficient details to minimise interpretation risk   Profound        
8 Promote timely reporting under materiality-based triggers   Significant Moderate      
B Supervisory activities and collaboration between authorities            
9 Review the effectiveness of CIR and CIRR processes     Significant Minor    
10 Conduct ad-hoc data collection       Moderate    
11 Address impediments to cross-border information sharing           Profound
C Industry engagement            
12 Foster mutual understanding of benefits of reporting Moderate   Profound Minor    
13 Provide guidance on effective CIR communication       Moderate    
D Capability Development (individual and shared)            
14 Maintain response capabilities which support CIR     Significant Moderate    
15 Pool knowledge to identify related cyber events and cyber incidents     Significant Significant    
16 Protect sensitive information Significant       Significant  

No label = None;