Financial Stability Board calls for uniformity in cyber-breach reporting
On October 19, the Financial Stability Board (FSB) released a report calling for a convergence in the reporting of cyber incidents given the digitalization of financial services and the growing use of third-party service providers. According to FSB’s report, Cyber Incident Reporting: Existing Approaches and Next Steps for Broader Convergence, financial institutions operating across borders or sectors are subjected to multiple reporting requirements for one cyber incident. Pointing out that “fragmentation exists across sectors and jurisdictions in the scope of what should be reported for a cyber incident; methodologies to measure severity and impact of an incident; timeframes for reporting cyber incidents; and how cyber incident information is used,” FSB cautioned that the lack of a common method for reporting cyber incidents “could undermine a financial institution's response and recovery actions.” FSB also warned that the dissemination of “heterogeneous information” concerning a cyber incident “underscores a need to address constraints in information-sharing among financial authorities and financial institutions.” Harmonizing regulatory reporting would promote financial stability by ensuring there is a common method for monitoring cyberattacks in the sector, supporting effective supervision of cyber-risks at financial institutions, and helping authorities share information between jurisdictions. FSB stated it plans to create a detailed plan by the end of the year to (i) develop best practices for authorities to consider when developing their cyber incident reporting regime; (ii) identify key types of information that should be shared across the financial sector; and (iii) create a common terminology for cyber-incident reporting.