The Final Report was released on April 13 by the Financial Stability Board (FSB) and includes recommendations that may be relied upon by financial authorities and financial institutions (FIs) where relevant and by taking into consideration their legal and regulatory framework (see our previous update here).
The finalised recommendations are as follows:
Establish and maintain objectives for Cyber Incident Reporting (CIR). Financial authorities should have clearly defined objectives for incident reporting, and periodically assess and demonstrate how these objectives can be achieved in an efficient manner, both for FIs and authorities.
Explore greater convergence of CIR frameworks. Financial authorities should continue to explore ways to align their CIR regimes with other relevant authorities, on a cross-border and cross-sectoral basis, to minimise potential fragmentation and improve interoperability.
Adopt common data requirements and reporting formats. Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardised formats for the exchange of incident reporting information.
Implement phased and incremental reporting requirements. Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control.
Select appropriate incident reporting triggers. Financial authorities should explore the benefits and implications of a range of reporting trigger options as part of the design of their CIR regime.
Calibrate initial reporting windows. Financial authorities should consider potential outcomes associated with window design or calibration used for initial reporting.
Provide sufficient details to minimise interpretation risk. Financial authorities should promote consistent understanding and minimise interpretation risk by providing an appropriate level of detail in setting reporting thresholds, using common terminologies and supplementing CIR guidance with examples.
Promote timely reporting under materiality-based triggers. Financial authorities that use materiality thresholds should consider finetuning threshold language, or explore other suitable approaches, to encourage prompt reporting by FIs for material incidents.
Review the effectiveness of CIR and cyber incident response and recovery (CIRR) processes. Financial authorities should explore ways to review the effectiveness of FIs’ CIR and CIRR processes and procedures as part of their existing supervisory or regulatory engagement.
Conduct ad-hoc data collection. Financial authorities should explore ways to complement CIR frameworks with supervisory measures as needed and engage FIs on cyber incidents, both during and outside of live incidents.
Address impediments to cross-border information sharing. Financial authorities should explore methods for collaboratively addressing legal or confidentiality challenges relating to the exchange of CIR information on a cross-border basis.
Foster mutual understanding of benefits of reporting. Financial authorities should engage regularly with FIs to raise awareness of the value and importance of incident reporting, understand possible challenges faced by FIs and identify approaches to overcome them when warranted.
Provide guidance on effective CIR communication. Financial authorities should explore ways to develop, or foster development of, toolkits and guidelines to promote effective communication practices in cyber incident reports.
Maintain response capabilities which support CIR. FIs should continuously identify and address any gaps in their cyber incident response capabilities which directly support CIR, including incident detection, assessment and training on a continuous basis. Pool knowledge to identify related cyber events and cyber incidents. Financial authorities and FIs should collaborate to identify and implement mechanisms to proactively share event, vulnerability and incident information amongst financial sector participants to combat situational uncertainty, and pool knowledge in collective defence of the financial sector.
Protect sensitive information. Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times.
On the same date, the FSB also released a common Format for Incident Reporting Exchange (FIRE) to foster greater convergence in CIR. It also updated its Cyber Lexicon with the inclusion of new terms:
Security Operations Centre (SOC)