Current geopolitical tensions have reinforced the need to counter the risk of cyber attacks globally. The number of such attacks has grown over the past two years, threatening not only individual institutions, but also broader financial stability. Financial institutions and regulatory authorities have taken great steps in strengthening their supervisory and regulatory practices around cyber security. This includes timely and accurate information on cyber incidents.

Yet requirements and practices for cyber incident reporting differ significantly across jurisdictions. This challenges globally active financial institutions’ ability to respond to an incident efficiently, to minimize the harm and recover operations as quickly as possible. To support effective incident response and recovery, the G20 asked the Financial Stability Board (FSB) to explore how to achieve greater convergence in cyber incident reporting.

The proposals in the FSB’s consultative document, published this week, could greatly reduce operational challenges faced by financial institutions reporting to multiple authorities, and foster better communication of critical episodes between authorities. Directed at financial authorities and financial institutions, they recommend greater convergence among cyber incident reporting frameworks, and aim to address some of the operational challenges associated with incident reporting – particularly during the early stages of a cyber incident, when confidence may be low about the cause and impact of the incident.

The use of a common language is essential for greater convergence in cyber incident reporting. Importantly, a common definition and understanding for what constitutes a ‘cyber incident’ is needed to avoid the over-reporting of incidents that are not meaningful for financial authorities or financial stability. The FSB has updated its 2018 Cyber Lexicon, to establish common terminologies. The Lexicon focuses on the core terms necessary to support the FSB’s efforts to ensure a common understanding of relevant cyber security terminology across sectors and facilitate information exchange as appropriate. Those terms also support work by the FSB and its members to assess and monitor the risks to financial stability of different cyber risk scenarios, and to provide guidance related to cyber resilience, including identifying effective practices.

The FSB proposals also include the concept of a common Format for Incident Reporting Exchange (Fire). Fire provides a set of common data elements that have been identified across member jurisdictions. This framework aims to be truly transformational while remaining flexible to a range of implementation practices. This will allow authorities to decide the extent to which they wish to adopt Fire – if at all – based on their own individual needs. And while the potential costs are high, the benefits of its adoption will be higher.

The use of a common language is essential for greater convergence in cyber incident reporting

Giuseppe Siani, FSB

Fire can help reduce the operational burden on financial institutions that have to report to multiple financial authorities. For example, in the event of a cyber incident that triggers reporting requirements, one global systemically important financial institution (G-Sib) has to, within the first 72 hours, verbally contact five or more authorities, issue between seven and 13 written notifications, complete and submit 12 to 14 initial incident report forms and enter details into between five and nine online reporting portals.

Each report has a different communication format, style and timeframe, and needs to be reviewed by incident responders during the most critical initial investigation time. Sufficiently broad adoption of Fire would lead to further convergence in incident reporting and save resources through the introduction of automation, thereby generating further efficiencies.

Change can be expensive, however. There may be implementation costs involved in altering existing regulatory policies and rules, as well as one-off costs related to the investment in – and migration to – new technology systems. Those costs may be less palatable than the current recurring overhead of operational challenges. One of our next steps will be to understand the feasibility of taking Fire beyond this initial concept stage and what preconditions would be necessary before commencing its development. We are conducting a public consultation, which ends on December 31, 2022, and hope to hear further from industry on these points.

Giuseppe Siani is chair of the FSB’s working group on cyber incident reporting and head of the directorate general for financial supervision and regulation at Banca d’Italia