EBF position on Cyber incident reporting

16 October 2019

This document aims to address the fragmentation of the EU cyber incident reporting framework, resulting from the existence of several different incident reporting requirements across Europe, and to make proposals for regulators and policymakers for fostering information sharing and cooperation between Financial Institutions and Supervisory Authorities.

Depending on the type of incident, the reporting entity and the different legislations that apply, the current regulatory framework for incident reporting is characterised by:

• Different taxonomies;
• Different timelines, thresholds, information requirements and multiple templates for reporting;
• Various actors involved, from both the sender and receiver sides;
• Insufficient clarity in existing communication channels between public bodies and authorities (e.g. Europol, national law enforcement, national financial regulatory bodies, national CERTs).

These elements create additional regulatory and operational burdens that financial institutions have to abide by during or immediately after having suffered a cyber incident. They also prevent the creation of more centralised and uniform mechanisms that can speed up the reporting process and enable a smoother exchange of information and good practices. Due to the complex rules and reporting channels, existing different requirements result in coordination and compliance challenges.

In order to ensure that financial institutions are able to quickly and effectively report cyber incidents without at the same time sacrificing a proper incident management and recovery process, and very much in line with the ESAs Joint Advice on legislative improvements, the European Banking Federation (EBF) makes the following proposals for supervisors and regulators:

• Establish a central reporting and coordination hub in each Member State;
• Harmonise reporting thresholds and create a common taxonomy for cyber security incidents;
• Foster public-private real-time collaboration between regulators, supervisors, law enforcement, financial institutions and other cross-sectoral infrastructure actors;
• Further involve national CERTs in information sharing;
• Introduce a regular bi-directional information flow between regulators/ supervisors and the industry.

Full position on EBF

© EBF