The Financial Stability Board (FSB), in a global assessment of national financial regulators, has found a “fragmented” and “constrained” system for cyber incident reporting, undermining the financial industry’s cyber response and recovery capabilities and challenging financial system stability.
The findings outlined in the FSB’s Cyber Incident Reporting paper, which come after consultation with 23 out of 24 FSB member jurisdictions (including input from local regulators Reserve Bank of Australia, APRA and ASIC) and external stakeholders, reveal discrepancies in: measuring the impact of cyber incidents; timeframes for reporting incidents; and, how this information is ultimately used.
For instance, the survey found that while more than 80 per cent of financial institutions are required by their local regulator(s) to report the date, time, impact and cause of a cyber incident, fewer than 40 per cent are obligated to report this same incident to state authorities, including the police, a national computer emergency response team (CERT) or state security agency.
Curiously, a little over half of all regulated financial services are required to report if a legal or regulatory breach occurred as a result of a cyber incident.
Specific timeframes for reporting an incident once identified can also “vary widely”, the FSB wrote, with only around 40 per cent required to report “as soon as [an incident] is identified.
These inconsistencies are particularly problematic for financial institutions with a multinational presence, the FSB noted, subjecting these FSIs “to multiple reporting requirements” for a single cyber incident.
“At the same time”, it added, “financial authorities receive heterogeneous information for a given incident, which could undermine a financial institution’s response and recovery actions.”
“This underscores a need to address constraints in information sharing among financial authorities and financial institutions.”
Pursuing greater harmonisation of regulatory reporting of cyber incidents would serve to enhance financial stability across all jurisdictions, the FSB said.
This would build a common understanding and monitoring of cyber incidents, support effective supervision of cyber risks at financial institutions, and facilitate the coordination and sharing of information amongst authorities across sectors and jurisdictions.
The FSB said greater convergence in cyber incident reporting can be achieved by local financial regulators through the pursuit of three priorities :
1) The development of best practices: “Identify a minimum set of types of information authorities may require related to cyber incidents to fulfil a common objective (e.g. financial stability, risk assessment, risk monitoring) that authorities could consider when developing their cyber incident reporting regime.”
2) Identify common types of information to be shared: “Identify key information items that should be shared across sectors and jurisdictions, and to understand any legal and operational impediments to sharing such information. This would facilitate more information-sharing and help authorities obtain a better understanding of impacts of a cyber incident across sectors and jurisdictions.”
3) Create common terminologies for cyber incident reporting. “Harmonised cyber incident reporting schemes necessitate a ‘common language’. In particular, a common definition for ‘cyber incident’ is needed that avoids the reporting of incidents that are not significant for a financial institution or financial stability.”
The survey also found that Denial-of-Service (DoS) and malware attacks remain the predominant vectors of attack for malicious actors, accounting for 40 per cent and 30 per cent of malicious attacks, respectively, on financial services entities.
The FSB said it would work to develop detailed timelines and modalities to progress these priorities by the end of 2021.
The Financial Stability Board, operating in effect as a global regulator of financial regulators, coordinates national financial authorities and international standard-setting bodies to support the development, promotion and implementation of regulatory, supervisory and other financial sector policies.
The FSB’s Cyber Incident Reporting paper can be accessed here.