The Institute of International Finance (IIF) on December 19th submitted a response letter to the Financial Stability Board (FSB) Format for Incident Reporting Exchange (FIRE) Consultation Report. In the letter, the IIF recognizes and appreciates the FSB’s long-standing leadership in addressing market fragmentation and encouraging coordination, consistency and cooperation among its member jurisdictions, and with other global standard-setting bodies. We also commend the FSB for its critical work in promoting greater harmonization around cyber security and cyber risk practices, including in this case around incident reporting across financial institutions and reporting authorities around the world.
This iteration of FIRE, which aims to promote common information elements for incident reporting while allowing for flexible implementation practices, has made a lot of progress in becoming a valuable public sector and industry standard. It is user friendly and bespoke, in that authorities can choose the extent to which they adopt FIRE, and leverage features and definitions to promote convergence and facilitate translation between existing frameworks. At a later stage, if desirable, authorities can also apply FIRE to other parties, and other sectors, beyond financial services firms. At some point, if welcome, the FSB could also encourage other (non-financial) sectors to use the same template, to help address fragmentation across sectors.
For FIRE to be most effective, it is important that as many authorities adopt it as their standard for having financial institutions report cyber incident reporting. The more authorities that can do this the better, and in doing so would substantially help address the current state of fragmentation around cyber incident reporting.
An area that has sparked a lot of discussion is the sharing among authorities of information that they receive from the private sector. Authorities have long shared information on cyber threats and incidents with other authorities, in connection with their regulatory and supervisory activities, particularly as they pertain to financial services firms’ cross-border operation. This cross-border sharing of information serves a number of important regulatory and supervisory purposes, but it can lead to the premature release of information beyond the scope of authorized parties. There are concerns that the ubiquity of FIRE, by facilitating information exchange among authorized parties, could increase the risk of unauthorized information flows. FI’s would benefit from transparency as where the information is being forwarded to.
The IIF and its members have previously encouraged the FSB to support bidirectional sharing of reported information, including from authorities to FIs. To avoid cyber incidents spreading across the (global) financial system it is important that firms receive information related to material cyber incidents and operational outages that were reported to authorities. This way, the Fis can then take measures to bolster their cyber security and thereby enhance the resiliency of the sector.
Finally, the IIF encourages the FSB to distinguish cyber incidents driven by malicious intent from non-malicious operational incidents given the criticality of prompt early warning to authorities and other potentially affected firms. Moreover, non-malicious operational incidents generally have different incident management policies, procedures, personnel, and reporting objectives when compared to malicious cyber incidents. Therefore, we think it worthwhile to limit reporting to incidents that cause actual harm and should rightly be prioritized so as to avoid a wider impact.