Skip to main content
Menu Icon
Close

InfoBytes Blog

Financial Services Law Insights and Observations

FSB: Greater convergence needed in cyber-incident reporting

Privacy, Cyber Risk & Data Security Financial Stability Board Of Interest to Non-US Persons

Privacy, Cyber Risk & Data Security

On April 13, the Financial Stability Board (FSB) released a series of recommendations for achieving “greater convergence” in cyber-incident reporting (CIR). Issued at the request of the G-20, the final report draws from FSB’s body of work on cybersecurity, as well as its engagement with external stakeholders. In order to promote greater convergence in CIR, the report focuses on three components: (i) recommendations for addressing the issues identified as impediments to achieving greater harmonization in cyber incident reporting; (ii) an updated and enhanced cyber lexicon to include new CIR terms and encourage the use of “common language”; and (iii) a common, flexible format for incident reporting exchange (FIRE) that would allow a range of adoption choices and include the most relevant data elements for financial authorities.

The report presents 16 recommendations for addressing issues associated with the collection of cyber incident information from financial institutions, including the importance of establishing clearly defined objectives for incident reporting (and practical measures for sharing such information), aligning CIR regimes on a cross-border/cross-sectoral basis to reduce fragmentation and improve interoperability, and adopting common data requirements and standardized reporting formats. The report observes that financial institutions operating across multiple jurisdictions and sectors often face operational challenges due to the current process of having to report cyber incidents to multiple authorities. FSB states it will continue to work on a concept for a common format for FIRE to enable authorities to collect information from financial institutions in a more consistent manner. “Financial authorities and institutions can choose to adopt these recommendations as appropriate and relevant, consistent with their legal and regulatory framework,” FSB states in the report.