Swiss-headquartered Financial Stability Board (FSB) on 13 April published a report with recommendations to achieve greater convergence in cyber incident reporting.
In a statement it said cyber incidents are rapidly growing in frequency and sophistication: "The interconnectedness of the global financial system makes it possible that a cyber incident at one financial institution (or an incident at one of its third-party service providers) could have spill-over effects across borders and sectors.
"In many jurisdictions, financial authorities have introduced cyber incident reporting requirements for financial institutions, which are crucial for effective policy response and promoting financial stability.
"Over the last decade, however, meaningful differences have and continue to emerge in the requirements and practices associated with cyber incident reporting. Recognising that timely and accurate information on cyber incidents is crucial for effective incident response and recovery and promoting financial stability, the G20 asked the FSB to deliver a report on achieving greater convergence in cyber incident reporting."
To meet this call, the FSB further said it conducted work to promote greater convergence in cyber incident reporting in three ways:
Setting out recommendations to address the issues identified as impediments to achieving greater harmonisation in cyber incident reporting. Financial authorities and institutions can choose to adopt these recommendations as appropriate and relevant, consistent with their legal and regulatory framework.
Enhancing the Cyber Lexicon to include additional terms related to cyber incident reporting, as a ‘common language' is necessary for increased convergence.
Identifying common types of information that are submitted by financial institutions to authorities for cyber incident reporting purposes, which culminated in a concept for a common format for incident reporting exchange (FIRE) to collect incident information from financial institutions and use between themselves.
These initiatives would help to promote cyber resilience as the threat landscape becomes increasingly more complex, it said.
The FSB published a report on Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence in October 2021.
The report found that fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used.
This subjects financial institutions that operate across borders or sectors to multiple reporting requirements for one cyber incident. At the same time, financial authorities receive heterogeneous information for a given incident, which could undermine a financial institution's response and recovery actions.
In October 2022, in response to a request from the G20 to take forward work to achieve greater convergence in cyber incident reporting, the FSB initiated a public consultation on its proposals.
The FSB has also published today an overview of the responses to its consultation.
The FSB developed a Cyber Lexicon in 2018 to foster a common understanding of relevant cyber security and cyber resilience terminology across the financial sector, including banking, financial market infrastructures, insurance and capital markets, and with other industry sectors.
A common lexicon aims to foster a common understanding with other industry sectors and facilitate appropriate cooperation to enhance cyber security and cyber resilience.
The FSB coordinates at the international level the work of national financial authorities and international standard-setting bodies and develops and promotes the implementation of effective regulatory, supervisory, and other financial sector policies in the interest of financial stability.
It brings together national authorities responsible for financial stability in 24 countries and jurisdictions, international financial institutions, sector-specific international groupings of regulators and supervisors, and committees of central bank experts. The FSB also conducts outreach with approximately 70 other jurisdictions through its six Regional Consultative Groups.
The FSB is chaired by Klaas Knot, President of De Nederlandsche Bank. The FSB Secretariat is located in Basel, Switzerland, and hosted by the Bank for International Settlements