THIS PAGE WAS LAST UPDATED ON 8 JUNE 2020
The European Banking Federation updated its position paper on cyber incident reporting by including a new annex describing the Danish Joint Solution for reports on IT Security Events (FLIIS), a successful example of centralised reporting scheme.
The establishment of a centralised hub, aimed at collecting from financial institutions all reports covering incidents and submitting them to the competent authorities, should be considered as the preferred model for reporting of cyber incidents. By fulfilling the above functions, the centralised hub would not only channel and coordinate the submission of reports more quickly and efficiently but also indirectly facilitate the monitoring of cyber risks and trends at the national level.
This document aims to address the fragmentation of the EU cyber incident reporting framework, resulting from the existence of several different Incident Reporting Requirements across Europe, and to make proposals for regulators and policymakers for fostering information sharing and cooperation between Financial Institutions and Supervisory Authorities.
Depending on the type of incident, the reporting entity and the different legislations that apply, the current regulatory framework for incident reporting is characterised by:
• Different taxonomies;
• Different timelines, thresholds, information requirements and multiple templates for reporting;
• Various actors involved, from both the sender and receiver sides;
• Insufficient clarity in existing communication channels between public bodies and authorities (e.g. Europol, national law enforcement, national financial regulatory bodies, national CERTs).
These elements create additional regulatory and operational burdens that financial institutions have to abide by during or immediately after having suffered a cyber incident1. They also prevent the creation of more centralised and uniform mechanisms that can speed up the reporting process and enable a smoother exchange of information and good practices. Due to the complex rules and reporting channels, existing different requirements result in coordination and compliance challenges.
In order to ensure that financial institutions are able to quickly and effectively report cyber incidents without at the same time sacrificing proper incident management and recovery process, and very much in line with the ESAs Joint Advice on legislative improvements, the European Banking Federation (EBF) makes the following proposals for supervisors and regulators:
• Establish a central reporting and coordination hub in each Member State;
• Harmonise reporting thresholds and create a common taxonomy for cybersecurity incidents;
• Foster public-private real-time collaboration between regulators, supervisors, law enforcement, financial institutions and other cross-sectoral infrastructure actors;
• Further involve national CERTs in information sharing;
• Introduce a regular bi-directional information flow between regulators/ supervisors and the industry.
For more information:
Head of Cybersecurity & Innovation