FSB outlines steps to promote convergence in cyber incident reporting

Privacy, Cyber Risk & Data Security Agency Rule-Making & Guidance Financial Stability Board Of Interest to Non-US Persons

On October 17, the Financial Stability Board (FSB) released a series of recommendations for promoting convergence in cyber incident reporting (CIR). Recognizing that a “one-size-fits-all approach” is neither feasible nor preferable, FSB noted that financial authorities and financial institutions may choose to adopt the report’s recommendations as appropriate and necessary, consistent with their legal and regulatory frameworks. Among other things, the recommendations call on financial authorities to (i) establish and maintain clearly defined incident reporting objectives and explore ways to align their CIR regimes with other relevant authorities; (ii) adopt common reporting formats and develop standardized formats for exchanging incident reporting information; (iii) review the effectiveness of their CIR processes and address impediments to cross-border information sharing; (iv) engage regularly with financial institutions to foster mutual understanding of the benefits of CIR and provide guidance on effective CIR communication; and (v) implement secure forms of incident information handling to protect sensitive information. Additionally, financial authorities and institutions should collaboratively implement measures for sharing information related to cyber events and vulnerabilities in order to “combat situational uncertainty” and “pool knowledge in collective defense of the financial sector.” Financial institutions should also continuously identify and address any gaps in their CIR capabilities.