by Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood

From left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Kristin Snyder, Charu A. Chandrasekhar, and Tristan Lockwood (Photos courtesy of Debevoise & Plimpton LLP)

Big businesses, especially those with a global footprint and operating in regulated sectors, are increasingly confronted with new and diverging cyber incident reporting requirements. A single incident—even a relatively minor one—may require notification to dozens of data protection, cyber, law enforcement, and sectoral regulators around the world, in addition to insurers, customers, and counterparties. Not only do many regulatory reporting obligations have materially different triggers, but also significant variation exists in reporting timeframes, content requirements, and subsequent regulatory engagement practices. The cumulative effect of this regulatory spiderweb of red tape is often to divert attention and resources away from substantive incident response and remediation, and to create a bureaucratic vortex for compliance and legal personnel.  To make matters worse, businesses cannot simply hire their way out of this morass. With a ~3.4 million person shortage in information security professionals, when regulators force too much attention on incident reporting they are invariably diverting eyes from actual information security.

The Financial Stability Board (FSB), an influential international body consisting of the world’s leading financial services regulators, has been analyzing this issue for the past few years and sounding the alarm over this challenging notification landscape. In a report published in April 2023,  “Recommendations to Achieve Greater Convergence in Cyber Incident Reporting: Final Report” (“Report”), the FSB provided incisive commentary on practical issues and challenges to achieving greater convergence in cyber incident reporting and made sixteen recommendations, principally directed to financial authorities, to improve the situation. The North American Securities Administrators Association (NASAA) agrees with the FSB’s call for harmonization. After the SEC issued multiple proposed rules calling for different forms to be used for incident reporting, NASAA submitted a comment letter on the proposed rules in May 2023 calling for harmonization of the reporting requirement with the proposal of creating just one form that would be filed with the Financial Industry Regulatory Authority (FINRA).

In this blog post, we summarize the FSB Report and its key recommendations, and explain how financial institutions may wish to:

• Use the Report to inform the design of governance frameworks and procedures for cyber incident reporting;
• Consider seeking to more proactively engage with financial authorities on the sorts of issues raised in the Report—in the direction of greater workability and convergence; and
• Inform and substantiate future engagement in regulatory and legislative feedback processes.

Key Findings

In 2022, the FSB surveyed FSB members and financial institutions about cyber reporting requirements and experiences. Based on those surveys, and its own analysis, the Report made a number of incisive findings about issues and challenges in cyber incident reporting:

• Operational challenges. Financial institutions often have a lot of reporting requirements, many of which require actioning immediately or on very short timeframes. Material differences in reporting triggers and reporting templates make it difficult to meet all of these requirements in a manner that achieves financial authority objectives. The short timeframes also draw resources and attention away from incident response and remediation at a time when this is critical.
• Setting reporting criteria. Determining and articulating appropriate reporting obligation trigger points is difficult. This is especially challenging for qualitative reporting triggers. Divergent criteria between financial authorities increase the risk of misalignment between financial authority and institution understandings about the meaning of thresholds.
• Early assessment challenges. Making and communicating early assessments about cyber incidents is difficult because of the chaotic and indefinite nature of cyber incidents. Root causes often take time to determine. While a timely and complete picture is important for authorities, expectations about the level of completeness add stress and divert resourcing away from efforts to resolve incidents.
• Culture of timely reporting. Relatedly, timely reporting to financial authorities is important to authorities for various reasons. But there are numerous impediments to achieving timely reporting, including challenges in making accurate assessments, fear of reputational damage, and delays in the detection of incidents.
• Secure communications. The handling of incident reports in a secure and appropriate manner is important to financial institutions. But financial institutions are concerned about risks in communicating incidents via unencrypted email, which remains the most common method of reporting, and designated platforms, which may be targeted by threat actors.

Key Recommendations

While emphasizing that a one-size-fits-all approach is not appropriate, the recommendations emphasized the desirability of greater convergence among cyber incident reporting frameworks. Specific key recommendations included:

…

3. Adopt common data requirements and reporting formats. Financial authorities should individually or collectively identify common data requirements, and, where appropriate, develop or adopt standardized formats for the exchange of incident reporting information.
4. Implement phased and incremental reporting requirements. Financial authorities should implement incremental reporting requirements in a phased manner, balancing the authority’s need for timely reporting with the affected institution’s primary objective of bringing the incident under control.

…

6. Calibrate initial reporting windows. Financial authorities should consider potential outcome associated with window design or calibration used for initial reporting.
7. Provide sufficient details to minimize interpretation risk. Financial authorities should promote consistent understanding and minimize interpretation risk by providing an appropriate level of detail in setting reporting thresholds, using common terminologies and supplementing [reporting] guidance with examples.
8. Promote timely reporting under materiality-based triggers. Financial authorities that use materiality thresholds should consider finetuning threshold language, or explore other suitable approaches, to encourage prompt reporting by [institutions] for material incidents.

…

16. Protect sensitive information. Financial authorities should implement secure forms of incident information handling to ensure protection of sensitive information at all times.

Opportunities for Financial Institutions to Leverage the Report

The Report is principally directed to financial authorities and the political actors that have the ability to shape the laws and regulations they enforce. However, recognizing the influential role of the FSB and the incisiveness of the Report, financial institutions may wish to consider leveraging it in several ways:

• First, financial institutions may wish to use the Report to inform the design of governance frameworks and procedures for cyber incident reporting. For example, the FSB’s identification of timeliness as a generalized regulatory concern may favor investment in processes which enhance the ability of institutions to make timely reports. Further, and while governance frameworks obviously need to be tailored to each entity’s regulatory requirements, the FSB’s recommendation to harmonize reporting requirements may influence the perceived desirability within financial institutions of centralized oversight and control of cyber incident reporting and engagement.
• Second, financial institutions might wish to consider seeking to influence more proactively financial authorities on the sorts of issues raised in the Report—in the direction of greater workability and convergence. For example, financial institutions may wish to consider proactively engaging with financial authorities on (i) voluntary “interim” reporting as a means of improving timeliness while managing expectations around level of detail in early-stage reports, and (ii) financial institution-defined guidance and examples to ensure alignment on materiality thresholds. Such engagement may yield both entity specific outcomes and influence broader regulatory direction.
• Third, financial institutions may wish to consider leveraging the Report to inform and substantiate future engagement in regulatory and legislative feedback processes. Broadly, the Report gives voice to many concerns which have been long held by financial institutions with respect to the challenges posed by the increasingly complicated cyber incident reporting landscape. The Report is a valuable resource to draw on and point to in policy discussions about responding to the myriad issues raised by the proliferation of divergent reporting requirements and the imperative to find greater convergence.

Luke Dembosky, Avi Gesser, Erez Liebermann, and Kristin Snyder are Partners, Charu A. Chandrasekhar is Counsel, and Tristan Lockwood is an Associate at Debevoise & Plimpton LLP. This post first appeared on the firm’s blog.

The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).