By John Filar Atwood
In an effort to make cyber incident reporting more uniform across jurisdictions, the Financial Stability Board has issued recommendations that it believes will drive convergence in cyber reporting. The group’s ideas include identifying a minimum set of information that should be reported about cyber incidents, and identifying legal and operational impediments to sharing cyber information and working to reduce those barriers.
The FSB’s report follows its assessment of existing supervisory and regulatory practices, which found that fragmentation exists across sectors and jurisdictions concerning the scope of what should be reported for a cyber incident. The group also found differences in methodologies to measure severity and impact of an incident, the timeframes for reporting cyber incidents, and how cyber incident information is used.
The inconsistencies result in fragmentation in the reporting of cyber incidents, according to the FSB. Financial institutions that operate across jurisdictions are subjected to multiple reporting requirements for one incident, and financial regulators receive heterogeneous information for a given cyber incident which impacts their assessment of the risk to the financial institution and financial system. The FSB said that the goal of its report is to explore whether greater convergence in the reporting of cyber incidents could be achieved, including how authorities define a cyber incident.
Definition of cyber incident. In its research, the FSB found that the scope of cyber incidents required to be reported varies across jurisdictions and sectors. Some authorities do not distinguish between broader operational incidents and cyber incidents or define a ‘cyber incident’ more broadly than others, the FSB noted.
The FSB found that authorities often using ‘cyber incident’ interchangeably with ‘cyber event’, which is generally associated with ‘any observable occurrence in an information system’. In the FSB’s view, this may lead to excessive notification and reporting of incidents that can usually be managed by financial institutions.
Thresholds for reporting. The FSB also found that the thresholds for reporting cyber incidents vary across jurisdictions and sectors due to a lack of established methodology to measure impact and severity. In some cases, reporting thresholds are linked to the number or percentage of customers impacted, to market share or financial loss, or to qualitative indicators such as reputational risk, the FSB stated. Further, some authorities expect supervised institutions to define their own materiality thresholds, furthering differences in the materiality threshold across institutions.
Other discrepancies across jurisdictions are the reporting timeframe and how regulators use the reported information, according to the FSB. Regarding the timeliness of reporting, the FSB determined that it can range from ‘as soon as identified’ to 48 hours or longer. The group acknowledged that while providing early notifications to authorities would facilitate a timely supervisory response, requiring financial institutions to provide a full report within a short timeframe diverts resources from containing and addressing the cyber incident in a timely manner.
The FSB found that financial authorities use information from cyber incidents for different purposes depending on the relevant mandates, which may impact how they set their reporting requirements. In general, the FSB determined that more authorities use the reported information to monitor and assess vulnerabilities for a financial institution, rather than to assess how cyber incidents could pose risks to the financial system.
Information sharing. The FSB supports enhanced information sharing across jurisdictions about cyber incidents. The believes that better information-sharing arrangements would help to reduce fragmentation in cyber incident reporting and promote a common understanding of the related risks.
The FSB noted that many financial authorities have formal or informal information-sharing arrangements with one or more authority outside their jurisdiction, but there are substantial differences in the scope, depth and the form of such information sharing. Improvements in cooperation can be made through written cooperation arrangements between regulators, which cover timely notification and communication among authorities as well as cooperation in response and mitigation activities, the FSB suggested.
Enhancing the consistency of the structure, content and timeliness of reports would also improve information-sharing and authorities’ ability to respond to an incident, in the FSB’s opinion. The group said that this could include developing a standardized exchange format and methodology for cyber incident reporting or a shared protocol which facilitates cooperation.
Recommendations. Given its findings on cyber reporting across jurisdictions, the FSB offered three ways to achieve greater convergence in cyber incident reporting. First, the group suggests developing best practices by identifying a minimum set of types of information authorities may require related to cyber incidents. This set of information would help authorities in determining reporting thresholds, timeframes for reporting and notification, while recognizing that a one-size-fits-all approach may neither be appropriate nor possible, the FSB said.
Second, the FSB recommends identifying key information items that should be shared across sectors and jurisdictions, and any legal and operational impediments to sharing such information. The FSB believes this would facilitate more information-sharing and help authorities obtain a better understanding of impacts of a cyber incident across jurisdictions. A multilateral solution to information-sharing problems would be difficult, the FSB acknowledged, so it will be essential for FSB member jurisdictions to continue bilateral and regional efforts to reduce legal and operational barriers to information sharing.
Finally, the FSB believes a common language for cyber incident reporting is needed. In particular, the FSB urged regulators to consider a common definition for ‘cyber incident’ that avoids the reporting of incidents that are not significant for a financial institution or financial stability.