The proposal document builds on a 2021 FSB study of the various approaches to cyber incident reporting (CIR). The proposal is being published in response to a G20 request and against the backdrop of an expanding cyber threat landscape as well as an increase in the frequency and sophistication of cyberattacks. The fear of a loss of confidence in financial markets as a result of a cyber incident that spreads uncontrollably through the system is never far away from the minds of the governments of developed economies. And according to the FSB enhancing cyber resilience is a key element to promoting financial stability both now and in the future and remains a priority for both financial authorities and financial institutions (FIs).
The FSB has identified 6 key challenges to achieving closer convergence in CIR:
- Operational challenges;
- Appropriate and consistent reporting criteria / thresholds;
- Timeliness of reporting;
- Inconsistent definitions and taxonomy;
- Establishment of a secure communication mechanism; and
- Cross-border information sharing challenges.
In its proposal the FSB:
- makes 16 key recommendations to help address these challenges (a table of these recommendations can be found below);
- proposes the addition of four new terms to the Cyber Lexicon: Insider Threat, Phishing, Ransomware, Security Operations Centre;
- proposes the revision of three existing cyber lexicon definitions: Cyber Incident, Cyber Incident Response Plan, Information System;
- identifies “common types of information to be shared across jurisdiction and sectors”; and
- presents the Format for incident reporting exchange (FIRE) format, which is intended to enhance incident reporting practices globally.
Timeliness and assessment challenges key practical issues for effective CIR
The proposal includes a summary of the findings of a FSB CIR survey conducted in 2022. The survey gathered information on practical issues facing both financial authorities and FIs in collecting and using cyber incident information. Problems include operational challenges, inconsistent definitions, reporting thresholds and secure communications. However, the two biggest issues are the timeliness of reporting and early assessment challenges connected to cyber incidents more generally.
According to the FSB continuing issues with the timeliness of reporting potentially has a significant impact, particularly where the incident in question has the potential to spread and escalate into an industry wide crisis. The proposal identifies five key issues that underlie the continuing issues with timely reporting:
- poor culture / lack of awareness;
- fear of reputational damage and increased regulatory scrutiny;
- inadequate detection capabilities;
- lack of / unclear reporting requirements; and
- inadequate escalation / reporting procedures.
Early assessment challenges feed into and can exacerbate problems with timely reporting. Because cyber incidents, by their very nature, are often difficult to identify and pinpoint, it takes time to analyse and assess their root cause and impact. By the time that the FI has adequate information about the incident in order to trigger a report to the financial authority it may well be far too late to prevent other institutions being successfully targeted. The FSB’s proposal to extend materiality triggers to “encourage FIs to report incidents where reporting criteria have yet to be met but are likely to be breached” is an attempt to address this issue.
Common reporting format proposed
The proposal introduces the Format for incident reporting exchange (FIRE) concept “as an approach to standardise common information requirements for incident reporting”. The format is intended to be flexible and “would not require strict global convergence” according to the FSB.
The FIRE concept is organised around five data groups that are intended to answer key questions about the cyber incident:
- Reporting Entity – who issued the report and to whom?
- Incident – what happened / is happening?
- Actor – whose actions led to the incident?
- Impact Assessment – what are the negative effects?
- Incident Closure – What caused the incident and what are the remedial actions?
In a sense FIRE traces the incident from its initial identification to the closure of the incident and a “lessons learnt” process, which is the implementation and application of systems and processes to ensure that it does not affect the FI again in the future. In terms of assessing the impact of the incident and its consequences FIRE is coupled with ISO 22300:2021, which provides definitions for the ISO 22300 family of standards.
Report recommendations
| Establish and maintain objectives for CIR | Financial authorities should have clearly defined objectives for incident reporting, and periodically assess and demonstrate how these objectives can be achieved in an efficient manner, both for FIs and authorities. |
| Explore greater convergence of CIR frameworks | Financial authorities should continue to explore ways to align their CIR regimes with other relevant authorities, on a cross-border and cross-sectoral basis, to minimise potential fragmentation and improve interoperability. |
| Adopt common reporting formats | Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardised formats for the exchange of incident reporting information. |
| Implement phased and incremental reporting requirements | Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control. |
| Select incident reporting triggers | Financial authorities should explore the benefits and implications of a range of reporting trigger options as part of the design of their CIR regime. |
| Calibrate initial reporting windows | Financial authorities should consider potential outcomes associated with window design or calibration used for initial reporting. |
| Minimise interpretation risk | Financial authorities should promote consistent understanding and minimise interpretation risk by providing an appropriate level of detail in setting reporting thresholds, including supplementing CIR guidance with examples, and engaging with FIs. |
| Extend materiality-based triggers to include likely breaches. | Financial authorities that use materiality thresholds should explore adjusting threshold language, or use other equivalent approaches, to encourage FIs to report incidents where reporting criteria have yet to be met but are likely to be breached. |
| Review the effectiveness of CIR processes | Financial authorities should explore ways to review the effectiveness of FIs’ CIR processes and procedures as part of their existing supervisory or regulatory engagement. |
| Conduct ad-hoc data collection and industry engagement | Financial authorities should explore ways to complement CIR frameworks with supervisory measures as needed and engage FIs on cyber incidents, both during and outside of live incidents. |
| Address impediments to cross-border information sharing | Financial authorities should explore methods for collaboratively addressing legal or confidentiality challenges relating to the exchange of CIR information on a cross-border basis. |
| Foster mutual understanding of benefits of reporting | Financial authorities should engage regularly with FIs to raise awareness of the value and importance of incident reporting, understand possible challenges faced by FIs and identify approaches to overcome them when warranted. |
| Provide guidance on effective CIR communication | Financial authorities should explore ways to develop, or foster development of, toolkits and guidelines to promote effective communication practices in cyber incident reports. |
| Maintain response capabilities which support CIR | FIs should continuously identify and address any gaps in their cyber incident response capabilities which directly support CIR, including incident detection, assessment and training on a continuous basis |
| Pool knowledge to identify related cyber events and cyber incidents | Financial authorities and FIs should collaborate to identify and implement mechanisms to proactively share event, vulnerability and incident information amongst financial sector participants to combat situational uncertainty, and pool knowledge in collective defence of the financial sector. |
| Protect sensitive information | Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times. |