Summary of document history
The interconnectedness of the global financial system makes it possible that a cyber incident at one financial institution (or an incident at one of its third-party service providers) could have spill-over effects across borders and sectors.
Cyber incidents are rapidly growing in frequency and sophistication. At the same time, the cyber threat landscape is expanding amid digital transformation, increased dependencies on third-party service providers and geopolitical tensions.
Recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability, the G20 asked the FSB to deliver a report on achieving greater convergence in cyber incident reporting (CIR).
Drawing from the FSB’s body of work on cyber, including engagement with external stakeholders, the report identifies commonalities in CIR frameworks and details practical issues associated with the collection of cyber incident information from FIs and the onward sharing between financial authorities. These practical issues include:
-
operational challenges arising from the process of reporting to multiple authorities;
-
setting appropriate and consistent qualitative and quantitative criteria/thresholds for reporting;
-
establishing an appropriate culture to report incidents in a timely manner;
-
inconsistent definitions and taxonomy related to cyber security;
-
establishing a secure mechanism to communicate on cyber incidents; and
-
legal or confidentiality constraints in sharing information with authorities across borders and sectors.
This report sets out 16 recommendations to address these issues with a view to promote best practices in cyber incident reporting.
Recommendations mapped to identified issues and challenges
Identified issues and challenges: | Operational challenges | Setting reporting criteria | Culture of timely reporting | Early assessment challenges | Secure communications | Cross-border and cross-sectoral issues | |
---|---|---|---|---|---|---|---|
A | Design of CIR Approach | ||||||
1 | Establish and maintain objectives for CIR | Significant | |||||
2 | Explore greater convergence of CIR frameworks | Moderate | Significant | Significant | |||
3 | Adopt common data requirements and reporting formats | Profound | Moderate | Moderate | |||
4 | Implement phased and incremental reporting requirements | Minor | Significant | Significant | |||
5 | Select appropriate incident reporting triggers | Profound | |||||
6 | Calibrate initial reporting windows | Profound | |||||
7 | Provide sufficient details to minimise interpretation risk | Profound | |||||
8 | Promote timely reporting under materiality-based triggers | Significant | Moderate | ||||
B | Supervisory activities and collaboration between authorities | ||||||
9 | Review the effectiveness of CIR and CIRR processes | Significant | Minor | ||||
10 | Conduct ad-hoc data collection | Moderate | |||||
11 | Address impediments to cross-border information sharing | Profound | |||||
C | Industry engagement | ||||||
12 | Foster mutual understanding of benefits of reporting | Moderate | Profound | Minor | |||
13 | Provide guidance on effective CIR communication | Moderate | |||||
D | Capability Development (individual and shared) | ||||||
14 | Maintain response capabilities which support CIR | Significant | Moderate | ||||
15 | Pool knowledge to identify related cyber events and cyber incidents | Significant | Significant | ||||
16 | Protect sensitive information | Significant | Significant |
No label = None;