On 17 October 2022, the Financial Stability Board (FSB) published a consultative document on Achieving Greater Convergence in Cyber Incident Reporting (CIR). In parallel, the FSB invited feedback on this document. Back in 2021, the FSB already published a report on CIR. The report set out three ways the FSB would take work forward to achieve greater convergence in cyber incident reporting: developing best practices, creating common terminologies for CIR, and identifying common types of information to be shared across jurisdictions and sectors.
To inform on its work, the FSB conducted a survey amongst FSB members to identify the most common reporting objectives and types of reporting performed; understanding the practical issues financial authorities and financial institutions have in collecting or using incident information; identifying the information items authorities collect to meet the common reporting objectives, including a review of existing incident reporting templates; and exploring the mechanisms for financial authorities to share incident information across borders and sectors.
Drawing on the survey findings, the FSB has set out recommendations to address impediments to achieving greater convergence in CIR with a view to promote better practices. This work also helped to inform refinements to the Cyber Lexicon, which resulted in the addition of four terms and revision of three definitions. The FSB also reviewed financial authorities’ incident reporting templates and identified commonalities in the information collected. Leveraging on this work, the FSB presented a concept for a format for incident reporting exchange (FIRE) to promote convergence, address operational challenges arising from reporting to multiple authorities and foster better communication.
In the face of the above mentioned initiative, WSBI-ESBG replied to the call for feedback on this consultative document on cyber incident reporting, in particular calling for a harmonised reporting approach between different regulatory bodies, processes, and data requests. In terms of promoting greater convergence in CIR, financial authorities could offer tools and platforms that minimize operational issues for reporting of incidents.
Finally, members underlined the importance of having clear definitions to avoid confusion and to differentiate between the terms ‘cyber incident’ and the subcategory thereof of ‘cybersecurity incident’.
