CHARACTERISATION OF CYBER-INCIDENTS

1.1 Definitions

Cybersecurity can be defined as a particular state, which could be qualified as "optimal", or as a collection of activities that ensures the achievement of a particular state. As defined by the Dutch Cybersecurity Supervisor (2017), a system is cyber-secured when it reaches a state that is free of danger or damage caused by a disruption or failure of IT or through the abuse of IT. Overall, the danger or damage caused by abuse, disruption or failure may comprise a limitation on the availability and reliability of the IT, violation of the confidentiality of information stored in IT environments or damage to the integrity of that information.

According to ENISA (2017), cybersecurity comprises all activities necessary to protect cyberspace, its users and impacted persons from cyber-threats. Cyberspace is the time-dependent set of tangible and intangible assets which store and/or transfer electronic information. The present report will use "cybersecurity" indistinctly as a state and as a collection of activities that ensures that state.

1.2 Types of cyberattacks in financial services

Many statistics can be found on the most common types of cyberattacks in financial and insurance services. Although differences can be observed in these statistics across sources, overall there is a broad consensus that denial of services (DoS), web application attacks and payment card skimming represent the vast majority of security incidents. The most common motive for these attacks is, as expected, financial, whereas a small share is driven by espionage and other purposes. For the vast majority of cyberattacks, the compromised data are credentials. Personal and payment data represent a much smaller share.

A large share of these cyberattacks has limited impact and affects only one or a few individuals. But, over the last decade, a few large-scale cyberattacks have been identified in the financial sector, with marked impact in both the short and long term. As shown in Table 1, these extensive attacks have affected a broad range of financial segments: retail payments, health insurance, investment, consumer credit, credit registers, etc. It seems that any segment of the financial sector can be the target of a large-scale cyberattack.

NEED FOR CONVERGENCE IN INCIDENT REPORTING SCHEMES

2.1 Increase in legislation with incident reporting requirements

Several recent new EU regulations and directives include incident reporting requirements in the event of a cyber-breach. The requirements for an institution or data controller to report or notify specific authorities, and in some cases the public, in the event of a cyber-breach are notably covered in the following legislation:

• General Data Protection Regulation (GDPR) in Articles 33 and 34

• Payment Service Directive 2 (PSD2) in Article 96 as well as the corresponding EBA Guidelines

• Directive on Security of Network and Information Systems (NIS) in Articles 6, 14 and 16

• Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (eIDAS) in Article 19

• Cyber-incident reporting of the European Central Bank

• TARGET2

As shown in Table 2, high fragmentation can be observed between rules in taxonomy for reporting, reporting time frame, the template to be used and the threshold to trigger an incident. For instance, whereas there is no undue delay in the reporting time frame for the NIS, the deadline is 72 hours for the GDPR, 24 hours for the eIDAS and 48 hours for Target2. The template is not clearly defined in GDPR and NIS, while it is provided for the eIDAS (via document for ENISA reporting but not defined in member states) and for TARGET2 (via document in Annex II).

There is also great diversity in the types of authorities that have to collect incident reports (see Table 3). Some of these authorities are European bodies, such as the ECB for ECB cyber-incidents. Others are national: national NIS authorities for the NIS Directive, NCA for the PSD2 (the information is then reported to the EBA which eventually reports it to the ECB), national data protection authorities for the GDPR, national certification authority for the eIDAS Regulation and national central banks for Target2. Also, some requirements and the related authority in charge concern only financial firms: PSD2 or Target2. Some others are multisectoral: eIDAS, NIS Directive and GDPR. Finally, each piece of legislation defines a different set of criteria to determine the type of financial firm that needs to comply with the reporting requirements.

In addition to incident reporting to the competent authorities, most regulations require the notification of consumers which have been affected by a cybersecurity incident. The GDPR requires the supervisory authority, unless the financial institution has already done so, to inform consumers without undue delay if the data breach has a high risk to impact their rights and freedoms negatively. Similarly, the eIDAS Regulation requests consumer notification with appropriate information in case of major security breaches or integrity losses. The NIS Directive defines either the necessity of public awareness or public interest as the threshold for incident reporting to consumers. PSD2 requires the payment service providers to inform their affected consumers without undue delay about both the cybersecurity incident and the remedial measures if the incident has or may have an impact on the financial interests of consumers.

While these regulations all cover reporting requirements to consumers, significant heterogeneity can be observed in terms of the criteria, standards, thresholds, time frames and general approaches to consumer notification. Different interpretations across legislations might further raise the degree of this fragmentation. Moreover, the reporting requirements are characterised by discretion, meaning that for instance financial institutions are obliged to assess consumers' personal and financial risks arising from a data breach. Therefore, the consumer dimension and scope of cyber-incident reporting as well as the difficulties due to legal fragmentations should not be underestimated.

2.2 Need to develop a common taxonomy for incidents reporting

The development of a common taxonomy for incident reporting is needed for various reasons. First, as cyberspace is global, cyberinsecurity is often a multi-country issue. Often, similar patterns of threat can simultaneously affect organisations located in different countries. As such, cross-border exchange of information is needed to address cybersecurity issues better and manage...