Given the increasing amount of cyber attacks it is important that material information is shared quickly with authorities, and where possible between authorities and firms. Financial firms are uniquely positioned to play an important role in supporting and protecting the overall cyber resilience of the financial system. Cyber incident reporting can be a beneficial tool that helps protect the overall financial system by making authorities aware of specific incidents and alerting them to issues that could be impacting other parts of the financial system, including in other jurisdictions. Depending on how authorities respond to the information, it can also help firms recover faster and prevent other organizations from being impacted by that same (or similar) cyber incident.
In practice, however, cyber incident reporting is less effective than it can be due to ambiguity around how firms and authorities define what constitutes a cyber incident, and differing approaches and reporting requirements across the various authorities. These differences are compounded by insufficient information-sharing, including from authorities to firms, and inadequate cross-border cooperation and collaboration.
This IIF paper sets out to explain the current approach to cyber incident reporting across key jurisdictions and the ways in which it can be improved. Ambiguity around definitions has created regulatory fragmentation across firms and authorities. The substantial differences between stakeholders in terms of what information needs to be shared about cyber incidents, within what timeframe, and even the format in which the information needs to be submitted, may lead to inconsistencies across jurisdictions that can limit the effectiveness of information shared by authorities to financial firms regarding the threat landscape, and potentially impeding similarly affected or vulnerable firms from addressing the cyber incident quickly and effectively. To help address these issues this paper also suggests several industry practices, as well as policy recommendations to help promote greater consistency and closer cooperation to support effective cyber incident reporting, within and across borders.