Big businesses, especially those with a global footprint and operating in regulated sectors, are increasingly confronted with new and diverging cyber incident reporting requirements. A single incident—even a relatively minor one—may require notification to dozens of data protection, cyber, law enforcement, and sectoral regulators around the world, in addition to insurers, customers, and counterparties. Not only do many regulatory reporting obligations have materially different triggers, but also significant variation exists in reporting timeframes, content requirements, and subsequent regulatory engagement practices. The cumulative effect of this regulatory spiderweb of red tape is often to divert attention and resources away from substantive incident response and remediation, and to create a bureaucratic vortex for compliance and legal personnel.  To make matters worse, businesses cannot simply hire their way out of this morass. With a ~3.4 million person shortage in information security professionals, when regulators force too much attention on incident reporting they are invariably diverting eyes from actual information security.

The Financial Stability Board (FSB), an influential international body consisting of the world’s leading financial services regulators, has been analyzing this issue for the past few years and sounding the alarm over this challenging notification landscape. In a report published in April 2023,  “Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report” (Report), the FSB provided incisive commentary on practical issues and challenges to achieving greater convergence in cyber incident reporting and made sixteen recommendations, principally directed to financial authorities, to improve the situation. The North American Securities Administrators Association (NASAA) agrees with the FSB’s call for harmonization. After the SEC issued multiple proposed rules calling for different forms to be used for incident reporting, NASAA submitted a comment letter on the proposed rules in May 2023 calling for harmonization of the reporting requirement with the proposal of creating just one form that would be filed with the Financial Industry Regulatory Authority (FINRA).

In this blog post, we summarize the FSB Report and its key recommendations, and explain how financial institutions may wish to:

  • Use the Report to inform the design of governance frameworks and procedures for cyber incident reporting;
  • Consider seeking to more proactively engage with financial authorities on the sorts of issues raised in the Report—in the direction of greater workability and convergence; and
  • Inform and substantiate future engagement in regulatory and legislative feedback processes.

Key Findings

In 2022, the FSB surveyed FSB members and financial institutions about cyber reporting requirements and experiences. Based on those surveys, and its own analysis, the Report made a number of incisive findings about issues and challenges in cyber incident reporting:

  • Operational challenges. Financial institutions often have a lot of reporting requirements, many of which require actioning immediately or on very short timeframes. Material differences in reporting triggers and reporting templates make it difficult to meet all of these requirements in a manner that achieves financial authority objectives. The short timeframes also draw resources and attention away from incident response and remediation at a time when this is critical.
  • Setting reporting criteria. Determining and articulating appropriate reporting obligation trigger points is difficult. This is especially challenging for qualitative reporting triggers. Divergent criteria between financial authorities increase the risk of misalignment between financial authority and institution understandings about the meaning of thresholds.
  • Early assessment challenges. Making and communicating early assessments about cyber incidents is difficult because of the chaotic and indefinite nature of cyber incidents. Root causes often take time to determine. While a timely and complete picture is important for authorities, expectations about the level of completeness add stress and divert resourcing away from efforts to resolve incidents.
  • Culture of timely reporting. Relatedly, timely reporting to financial authorities is important to authorities for various reasons. But there are numerous impediments to achieving timely reporting, including challenges in making accurate assessments, fear of reputational damage, and delays in the detection of incidents.
  • Secure communications. The handling of incident reports in a secure and appropriate manner is important to financial institutions. But financial institutions are concerned about risks in communicating incidents via unencrypted email, which remains the most common method of reporting, and designated platforms, which may be targeted by threat actors.

Key Recommendations

While emphasizing that a one-size-fits-all approach is not appropriate, the recommendations emphasized the desirability of greater convergence among cyber incident reporting frameworks. Specific key recommendations included:

  1. Adopt common data requirements and reporting formats. Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardized formats for the exchange of incident reporting information.
  2. Implement phased and incremental reporting requirements. Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control.

  1. Calibrate initial reporting windows. Financial authorities should consider potential outcome associated with window design or calibration used for initial reporting.
  2. Provide sufficient details to minimize interpretation risk. Financial authorities should promote consistent understanding and minimize interpretation risk by providing an appropriate level of detail in setting reporting thresholds, using common terminologies and supplementing [reporting] guidance with examples.
  3. Promote timely reporting under materiality-based triggers. Financial authorities that use materiality thresholds should consider finetuning threshold language, or explore other suitable approaches, to encourage prompt reporting by [institutions] for material incidents.

  1. Protect sensitive information. Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times.

Opportunities for Financial Institutions to Leverage the Report

The Report is principally directed to financial authorities and the political actors that have the ability to shape the laws and regulations they enforce. However, recognizing the influential role of the FSB and the incisiveness of the Report, financial institutions may wish to consider leveraging it in several ways:

  • First, financial institutions may wish to use the Report to inform the design of governance frameworks and procedures for cyber incident reporting. For example, the FSB’s identification of timeliness as a generalized regulatory concern may favor investment in processes which enhance the ability of institutions to make timely reports. Further, and while governance frameworks obviously need to be tailored to each entity’s regulatory requirements, the FSB’s recommendation to harmonize reporting requirements may influence the perceived desirability within financial institutions of centralized oversight and control of cyber incident reporting and engagement.
  • Second, financial institutions might wish to consider seeking to influence more proactively financial authorities on the sorts of issues raised in the Report—in the direction of greater workability and convergence. For example, financial institutions may wish to consider proactively engaging with financial authorities on (i) voluntary “interim” reporting as a means of improving timeliness while managing expectations around level of detail in early-stage reports, and (ii) financial institution-defined guidance and examples to ensure alignment on materiality thresholds. Such engagement may yield both entity specific outcomes and influence broader regulatory direction.
  • Third, financial institutions may wish to consider leveraging the Report to inform and substantiate future engagement in regulatory and legislative feedback processes. Broadly, the Report gives voice to many concerns which have been long held by financial institutions with respect to the challenges posed by the increasingly complicated cyber incident reporting landscape. The Report is a valuable resource to draw on and point to in policy discussions about responding to the myriad issues raised by the proliferation of divergent reporting requirements and the imperative to find greater convergence.

 

To subscribe to the Data Blog, please click here.

The cover art used in this blog post was generated by DALL-E.

Author

Luke Dembosky is a Debevoise litigation partner based in the firm’s Washington, D.C. office. He is Co-Chair of the firm’s Data Strategy & Security practice and a member of the White Collar & Regulatory Defense Group. His practice focuses on cybersecurity incident preparation and response, internal investigations, civil litigation and regulatory defense, as well as national security issues. He can be reached at ldembosky@debevoise.com.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Erez is a litigation partner and a member of the Debevoise Data Strategy & Security Group. His practice focuses on advising major businesses on a wide range of complex, high-impact cyber-incident response matters and on data-related regulatory requirements. Erez can be reached at eliebermann@debevoise.com

Author

Kristin Snyder is a litigation partner and member of the firm’s White Collar & Regulatory Defense Group. Her practice focuses on securities-related regulatory and enforcement matters, particularly for private investment firms and other asset managers.

Author

Charu A. Chandrasekhar is a litigation partner based in the New York office and a member of the firm’s White Collar & Regulatory Defense and Data Strategy & Security Groups. Her practice focuses on securities enforcement and government investigations defense and cybersecurity regulatory counseling and defense.

Author

Tristan Lockwood is an associate in the firm’s Data Strategy & Security practice. He can be reached at tlockwood@debevoise.com.