Ten financial authorities member of the G-7 Cyber Expert Group (CEG), representing six of the G-7 jurisdictions, have collaborated to formulate a proposal for a common categorisation of malicious cyber incidents (cyber-attacks) and other Information Technology (IT) incidents. This proposal is detailed in an Occasional Paper and responds to the demand that the Finance Ministers and Central Banks Governors formulated at their G-7 Finance track meeting in Chantilly in July 2019. This Occasional Paper expresses the views of its authors only. It shall not engage the CEG nor the G-7.
The aim of the proposal is to promote the harmonisation of the various incident reports that authorities require from financial institutions, by defining common principles and developing a common taxonomy. The adoption of these common principles and this common taxonomy would make incident reporting more robust and effective, by facilitating a common understanding of incidents, the sharing of information, and the joint management of IT crises of international scope. The participating authorities have taken into account in their proposal the observations made by the representatives of their respective financial sectors. The proposal is addressed to regulators or standard-setting bodies. It is not intended though to displace or replace existing frameworks that are tailored to the national authorities’ specific missions.
First, the proposal for a common categorisation sets out six key principles as a basis for effective incident reporting. These principles aim to facilitate the collection of information, by taking into account all IT incidents whatever their nature, and by not obliging the reporting financial institutions to change their assessment of the incident as they perceive it. They enable the consideration of incidents at different progress stages. Importantly, these principles also encourage the adoption of existing and robust taxonomies to avoid incident reporting that is too specific to the financial sector and would hamper comparisons.
Secondly, the common categorisation proposal identifies the four important axes for the construction of an incident report. This multi-dimensional approach combines taxonomies on the incidents themselves, and their various impacts, on the IT systems and activities affected by the incident, and finally criteria for assessing severity. The paper also pave the way for future work on a sector analysis taxonomy.
In early 2021, the Financial Stability Board (FSB) started working on cyber-incident reporting and will present its conclusions to the G-20.
Occasionnal Paper
Site
p/o Virginie Gastine Menou
RISQUES ET VOUS
Inscrivez-vous et accèdez à l’ensemble de l’actualité GRACES.Community.