Currently, there are no cross-sector standards defined for mandatory incident reporting and each supervisory authority, both at EU and national levels, defines the relevant impact assessment criteria, thresholds, timing, dataset, procedures and means of communication that it requires to be followed. All these different criteria and patterns cause fragmentation in the overall incident reporting operation for the affected financial entities and have to be managed along the critical path of managing the incident itself. This implies time-consuming reporting processes for the incident management and reporting teams, and can even lead to potentially faster propagation of cyber threats. Additionally, in the overall context of incident reporting, there is increasing importance given to cooperation and threat intelligence data sharing among all the different stakeholders to improve the capacity and resilience of the European cyber environment and to give more efficient and quick answers to new cybersecurity threats.

Objectives

CyberSec4Europe’s goal in this area is to provide a platform that enables financial institutions to fulfil the mandatory incident reporting requirements according to the different procedures and methods specified by the applicable finance-related legislation and initiatives, such as PSD2 and the ECB Banking Supervision cyber incident reporting framework. This incident reporting platform will address the common need for standardised and coordinated cooperation in cybersecurity communication, and could also pave the way towards public and private cooperation in reaching the common goal of enhanced cyber resilience across Europe and beyond.

The two main categories of stakeholders are those entities who will be affected by, or who have an economic, technical, political or legal interest in the incident reporting process and, as a consequence, in this platform. As described in the (first) demonstrator use case requirements analysis:

• Financial Institutions are forced by different legislations and initiatives to report to different supervisory authorities on cyber incidents. It is worth highlighting that under different regulations a single financial institution could represent several subjects at the same time, each with specific requirements. For example, as TARGET2[1] participants, significant institutions (ECB SSM[2]), payment service providers (PSD2[3]), operators of essential services (NISD[4]), personal data processors/data controllers (GDPR[5]), or trust service providers (eIDAS[6]).
• EU/national supervisory authorities are responsible for the different reporting requirements and receiving the corresponding reports. Each regulation/framework imposes a concrete and corresponding authority.

With this purpose in mind, we are working on a first prototype of an incident reporting platform that will cover incident events from the collection of data related to a detected security incident until the generation of the mandatory reports to be sent to the competent authorities. We have defined three use cases to validate the different phases of the incident reporting workflow:

• data collection, enrichment and classification;
• managerial judgement;
• data conversion and reporting preparation.

Progress in the development of the platform will be reported in the project’s demonstrator use case reports during the remainder of the project.

Benefits

Ultimately the Incident Reporting Platform will benefit both sets of stakeholders listed above by facilitating the collection of security incident information, the actual reporting of the incident as well as compliance with the requirements of the supervisory authorities. For the financial institutions in particular, it will facilitate internal collaboration by providing a centralised tool available across organisational departments.  In the wider fight against cyber attacks, the Incident Reporting Platform will promote a collaborative approach to incident reporting and foster cooperation in enhancing cyber resilience, potentially beyond the financial sector.

Laura Colombini (Intesa Sanpaulo Group Services), Vanesa Gil Laredo (BBVA Group) and Susana González Zarzosa (Atos Spain)

[1] Trans-European Automated Real-time Gross settlement Express Transfer system: the Eurosystem’s real-time gross settlement system for the euro.

[2] European Central Bank Single Supervisory Mechanism

[3] Payment Services Directive 2

[4] Network and Information Security Directive

[5] General Data Protective Regulation

[6] Electronic IDentification And trust Services for electronic transactions in the internal market.