Response to consultation on Guidelines on major incidents reporting under PSD2
Go back
An internationally standardised form and aligned reporting requirements are necessary for a proportionate and effective implementation.
The definitions are pretty clear and valid. Just in case of availibility the definition „authorized clients is not clear. We ask to provide a more narrow definition."
In addition to the incident categories, an alignment of the incident details to be reported, the report-triggering criteria and the report formats would make sense. For example, the current ECB Cyber-Incident Excel report template has about 100 fields that must be filled out at the time of incident solution / cleanup. If no such adjustment is made, in future institutions have to report to two EU finance authorities differently.
Nonetheless we believe that the draft report is too detailed. We suggest that the following information should be requested in one form: => What happened (description)? => What criteria at what level the incident had? => What measures have been/will be initiated? => When is the solution / elucidation of the incident to be expected? => Which authority was informed by whom, when and how?
• Initial report: This report shuld deal with the following questions: What happened? What is the level of the incident? What action has been taken? This should be done within 2 days after the incident becomes known.
• Interim report: From our point of view, this is not necessary because it does not seem to bring any added value, but it takes time and resources.
• Final report: After the incident has been solved, a more comprehensive report should be made. This should be done within 2 weeks after business normalised again.
To date, a security incident involving personal data must also be reported as a Data Breach Notification Duty. It should therefore be ensured that one of the two messages is omitted, otherwise the incident would have to be reported twice. At least the reporting of such incidents should be harmonised, to avoid multiple reporting to different authorities through different forms.
Competent authorities should also have deadlines, because after they receive a report they have to act and undertake actions based on the content and seriousness. Two hours might be a long time for some kind of attacts.
It may be necessary to establish a timeframe within the guideline, eg. a report is to be provided describing several operations or security incidents within a calendar year.
What is the consolidated reporting procedure"?
(A) within a given period, eg. a quarter, all safety and operational incidents should be reported, or
(B) is this consolidated notification an additional notification of all incidents?
We advocate a) in the interval of a quarter.
Open questions:
• What happens to the incidents? Who processes them? For what information? Where are they stored? Who has access to this data?
• Overall - what is the purpose of these provisions?"
Question 1: Do you consider the definitions included in the draft Guidelines to be sufficiently clear?
In general we want to emphasise that it ist important to align the incident reporting of the EBA and the ECB.An internationally standardised form and aligned reporting requirements are necessary for a proportionate and effective implementation.
The definitions are pretty clear and valid. Just in case of availibility the definition „authorized clients is not clear. We ask to provide a more narrow definition."
Question 2: Do you consider the criteria and methodology applicable for the assessment and classification of an incident as major to be sufficiently clear? If not, what should be further clarified?
They are sufficient clear. But in case of clients affected it would be also useful when there is also a segmentation of clients which should be provided. Service downtime and the economic impact should not be required mandatory, just as a best effort. Transaction affected - what does regular level of transaction mean? How should we calculate and define a regular level of transaction for which period etc?In addition to the incident categories, an alignment of the incident details to be reported, the report-triggering criteria and the report formats would make sense. For example, the current ECB Cyber-Incident Excel report template has about 100 fields that must be filled out at the time of incident solution / cleanup. If no such adjustment is made, in future institutions have to report to two EU finance authorities differently.
Question 3: Do you consider that the methodology will capture all of / more than / less than those incidents that are currently considered major? Please explain your reasoning.
For the current situation yes, it should cover all of them. But from a future perspective we should take into account a development in technology etc. This guideline should be revised based on this consideration.Question 4: In particular, do you propose to add, amend and/or remove any of the thresholds referred to in Guideline 1.3? If so, please explain your reasoning.
We are missing third party providers, or we could put directly in the template the definitions coming from PSD 2 (AISP, PIS). We would like to bring up different thresholds for retail and corporate clients for discussion.Question 5: Do you think that the information depicted in the template in Annex 1 is sufficient to provide competent authorities in the home Member State with a suitable picture of the incident? If not, which changes would you introduce? Please explain your reasoning.
Yes, in principle sufficiently clear.Nonetheless we believe that the draft report is too detailed. We suggest that the following information should be requested in one form: => What happened (description)? => What criteria at what level the incident had? => What measures have been/will be initiated? => When is the solution / elucidation of the incident to be expected? => Which authority was informed by whom, when and how?
Question 6: Are the instructions provided along with the template sufficiently clear and helpful to remove any doubts that could arise when completing the required fields? If not, please explain your reasoning.
Yes, the instructions are generally clear. Presumably, these data are not yet known or available in the short predetermined time. We need a clear definition of reputation". In addition they should be extended taking into account our answers to Q 1 and 2."Question 7: As a general rule, do you consider the deadlines and circumstances that should trigger the submission of each type of report (i.e. initial, intermediate and final) feasible? If not, please provide a reasoning and justify any alternative proposal.
In our opinion, the deadlines are far too short and the interruption is too tight. In particular, in connection with the initial report, the available resources will be bound to contain and remedy the incident. We propose the following deadlines:• Initial report: This report shuld deal with the following questions: What happened? What is the level of the incident? What action has been taken? This should be done within 2 days after the incident becomes known.
• Interim report: From our point of view, this is not necessary because it does not seem to bring any added value, but it takes time and resources.
• Final report: After the incident has been solved, a more comprehensive report should be made. This should be done within 2 weeks after business normalised again.
To date, a security incident involving personal data must also be reported as a Data Breach Notification Duty. It should therefore be ensured that one of the two messages is omitted, otherwise the incident would have to be reported twice. At least the reporting of such incidents should be harmonised, to avoid multiple reporting to different authorities through different forms.
Competent authorities should also have deadlines, because after they receive a report they have to act and undertake actions based on the content and seriousness. Two hours might be a long time for some kind of attacts.
Question 8: Do you consider I that the delegated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.
Yes, it could be valueable for institutions which centralize some functions at a group level.Question 9: Do you consider that the consolidated reporting procedure proposed in the draft Guidelines will provide added value to the market? Please explain your reasoning.
Yes, this is useful. The consolidate reporting will bring added value if it is timely and effectively shared.It may be necessary to establish a timeframe within the guideline, eg. a report is to be provided describing several operations or security incidents within a calendar year.
What is the consolidated reporting procedure"?
(A) within a given period, eg. a quarter, all safety and operational incidents should be reported, or
(B) is this consolidated notification an additional notification of all incidents?
We advocate a) in the interval of a quarter.
Open questions:
• What happens to the incidents? Who processes them? For what information? Where are they stored? Who has access to this data?
• Overall - what is the purpose of these provisions?"