A G-7 CEG’s Occasional Paper: “Proposal for a common categorisation of IT incidents”
L’ACPR est membre du Groupe d’experts cybersécurité du G-7 (G-7 Cyber Expert Group – CEG) qui rassemble des autorités du secteur financier des pays du G-7. Avec le soutien de neuf autres autorités représentant cinq autres juridictions du G-7, elle a élaboré une proposition de catégorisation commune des incidents informatiques de toutes natures, c’est-à-dire non seulement de cybersécurité mais aussi de fonctionnement. L’adoption d’une catégorisation commune par les autorités financières de différents pays est ainsi encouragée et pourrait faciliter la compréhension des incidents, le partage d’informations, et la gestion des crises au plan international.
Ten financial authorities member of the G-7 Cyber Expert Group (CEG), representing six of the G-7 jurisdictions1, have collaborated to formulate a proposal for a common categorisation of malicious cyber incidents (cyber-attacks) and other Information Technology (IT) incidents. This proposal is detailed in an Occasional Paper and responds to the demand that the Finance Ministers and Central Banks Governors formulated at their G-7 Finance track meeting in Chantilly in July 2019. This Occasional Paper expresses the views of its authors only. It shall not engage the CEG nor the G-7.
The aim of the proposal is to promote the harmonisation of the various incident reports that authorities require from financial institutions, by defining common principles and developing a common taxonomy. The adoption of these common principles and this common taxonomy would make incident reporting more robust and effective, by facilitating a common understanding of incidents, the sharing of information, and the joint management of IT crises of international scope. The participating authorities have taken into account in their proposal the observations made by the representatives of their respective financial sectors. The proposal is addressed to regulators or standard-setting bodies. It is not intended though to displace or replace existing frameworks that are tailored to the national authorities’ specific missions.
First, the proposal for a common categorisation sets out six key principles as a basis for effective incident reporting. These principles aim to facilitate the collection of information, by taking into account all IT incidents whatever their nature, and by not obliging the reporting financial institutions to change their assessment of the incident as they perceive it. They enable the consideration of incidents at different progress stages. Importantly, these principles also encourage the adoption of existing and robust taxonomies to avoid incident reporting that is too specific to the financial sector and would hamper comparisons.
Secondly, the common categorisation proposal identifies the four important axes for the construction of an incident report. This multi-dimensional approach combines taxonomies on the incidents themselves, and their various impacts, on the IT systems and activities affected by the incident, and finally criteria for assessing severity. The paper also pave the way for future work on a sector analysis taxonomy.
In early 2021, the Financial Stability Board (FSB) started working on cyber-incident reporting and will present its conclusions to the G-20.
[1] European Union: European Central Bank (ECB); France: Autorité de Contrôle Prudentiel et de Résolution (ACPR); Germany: Deutsche Bundesbank; Italy: Banca d’Italia, Commissione nazionale per le società e la Borsa (CONSOB), Ministero dell’Economia e delle Finanze (MEF); United Kingdom: Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA); United States of America: Federal Reserve Board (FRB), U.S. Department of the Treasury (UST).
Download the PDF version of this document
- Published on 04/06/2021
- EN
- PDF (1.24 MB)
Updated on: 04/06/2021 10:39