Financial Stability Board issues uniform bank cyberattack reporting framework

Article
NL Law

On 13 April 2023, the Financial Stability Board (FSB) published a report on convergence in Cyber Incident Reporting (CIR). The G20 had asked the FSB to deliver a report on this topic as it recognizes the importance of timely and accurate information for effective incident response, recovery and financial stability.

The FSB consists of central banks, financial regulators and treasury officials from the G20. It monitors and makes recommendations about the global financial system. The current chair of the FSB is Klaas Knot, who is also President of the Dutch Central Bank.

Background information

Cyber incidents are on the rise. At the same time, the global financial system is more dependent on the digital landscape than ever. The FSB fears that a cyber-incident directed at one financial institution may have spillover effects on other institutions. Timely and accurate information on cyber incidents is crucial with a view to effective incident response, recovery and financial stability. This can be achieved by harmonizing CIR.

After a public consultation in 2022 tried to outline the common issues with cyber security reporting incidents, the FSB acknowledged the existence of multiple CIR-related issues and challenges. Some of these issues are of a practical nature, such as setting reporting criteria that are relevant in all incident circumstances, or determining an appropriate duration for financial institutions to fulfil their reporting obligation. The FSB also acknowledges operational challenges, challenges concerning secure communications, early assessment challenges and cross-border or cross-sectoral issues. Another issue is the late reporting of cyber incidents. This can seriously delay or impede the assessment and response by both financial institutions and financial authorities. Financial authorities need timely and correct information to ensure trust in the financial system.

Recommendations

The FSB has suggested sixteen recommendations to combat the impediments identified to achieving greater convergence in CIR. These recommendations primarily aim to remove existing barriers that are obstructing greater harmonization of cyber incident reporting. Besides these recommendations, the FSB has also expanded its Cyber Lexicon and proposed a concept for a common format for incident reporting exchange (FIRE).

These recommendations are:

  1. Establish and maintain objectives for CIR
  2. Explore greater convergence for CIR frameworks
  3. Adopt common data requirements and reporting formats
  4. Implement phased and incremental reporting requirements
  5. Select appropriate incident reporting triggers
  6. Calibrate initial reporting windows
  7. Provide sufficient details to minimize interpretation risk
  8. Promote timely reporting under materiality-based triggers
  9. Review the effectiveness of CIR and cyber incident response and recovery (CIRR) processes
  10. Conduct ad hoc data collection
  11. Address impediments to cross-border information sharing
  12. Foster mutual understanding of benefits of reporting
  13. Provide guidance on effective CIR communication
  14. Maintain response capabilities that support CIR
  15. Pool knowledge to identify related cyber events and cyber incidents
  16. Protect sensitive information

Impact of recommendations

The FSB acknowledges in its annex to the report that some of the recommendations are expected to have a stronger impact, if implemented, than others.

Of the challenges described, the early assessment and secure communication challenges are least addressed by the recommendations, with only two recommendations of significant impact. The challenge of culture of timely reporting has one profound and four significant recommendations. At the same time, setting reporting criteria is addressed most, with three profound and one significant impact recommendations.

It is up to financial authorities to decide to what extent they will implement these recommendations in their legal and regulatory framework. Some of the challenges concern cross-border activities, which means that financial authorities will have to cooperate to lower the administrative burden for financial institutions. The FSB makes it clear that the burden of implementation is not only on financial authorities, but also on financial institutions.

We note that there might be some overlap between the FSB recommendations and the provisions on CIR in the EU Digital Operational Resilience Act (DORA). DORA contains an obligation to notify the competent authorities in case of severe cyber incidents, and a possibility to voluntarily report threats that are deemed to be relevant for the financial system. The European Supervisory Authorities will develop common draft regulatory technical standards for the content of these notifications, as well as common draft implementing technical standards in order to establish the standard forms, templates and procedures for financial entities to report a major ICT-related incident and to notify a significant cyber threat. The goal is to achieve a centralized and harmonized notification system.

In addition to mandatory and voluntarily incident and threat notifications, DORA also encourages information-sharing arrangements on cyber threat information and intelligence. Under certain conditions, financial institutions may exchange threat intel, including indicators of compromise, tactics, techniques, and procedures, cyber security alerts and configuration tools, to the extent that such information and intelligence sharing aims to enhance the digital operational resilience of financial entities.

DORA may therefore partly be a way for financial authorities to implement the FSB recommendations.

Conclusion

The new FSB report on CIR sets out to increase convergence in CIR for financial authorities and financial institutions. The recommendations address issues and challenges that currently impede harmonization of CIR. As there are many differences between jurisdictions, it is up to financial authorities and financial institutions to decide to what extent they will implement the recommendations.