The Institute of International Finance (IIF) has submitted a response to the Financial Stability Board (FSB) Consultative Document on “Achieving Greater Convergence in Cyber Incident Reporting.” In the letter we commend the FSB’s long-standing leadership in promoting greater harmonization around cyber security and cyber risk practices, including in this case around incident reporting across financial institutions and reporting authorities around the world. Cyber incident reporting (CIR), when used effectively, can be a beneficial tool that helps protect the global financial system. Increased awareness, visibility, and incident exchange, including across jurisdictions, can help disrupt and stop adversaries and assist affected financial institutions (FIs) with protection, mitigation, and response. The proliferation of cyber incidents in recent years has only highlighted the importance of coordinated information sharing between and among the public and private sectors.
As the FSB has rightly identified in this consultation, and as has been detailed in a previous IIF Staff Paper, CIR is often challenged by differing approaches and reporting requirements across various jurisdictions and authorities when it comes to what information is shared, in what format, and in what timeframe. There can be multiple policy objectives at play across the incident reporting landscape, such as providing early warning with actionable information and voluntary supplemental information sharing as an incident unfolds.
In the consultation response we urge the FSB to encourage member jurisdictions to ensure that incident reporting requirements are simple, tied to an actionable purpose, and efficient. The IIF also encourages the FSB to highlight the importance of bidirectional sharing of reported information from authorities to FIs. Information related to material cyber incidents and operational outages that is reported to authorities should be fed back to FIs, which can then take measures to bolster their cyber security and thereby enhance the resiliency of the sector.
The IIF supports the revised definition of a “cyber incident” and recommends that the FSB clearly demarcate between a malicious cyber incident and an operational incident in its definitions. As such, we recommend the FSB remove “non-malicious” incidents from the scope of its definition of a cyber incident. Instead, we propose that the FSB add a separate definition for operational incidents, such as those incidents created by human error (e.g., failed change management, faulty hardware).
Finally, the IIF also supports the FSB’s proposed “Format for Incident Reporting Exchange (FIRE)” to help firms share information on relevant cyber incidents efficiently and effectively. It is important that financial authorities work together to develop a common reporting approach to CIR. As mentioned in the consultation, FIs comply with a number of reporting requirements that maintain different definitions, timelines, and reporting thresholds, as well as oversight and enforcement mechanisms.