Yes, we agree with the increase of the threshold and the duration longer than 2 hours for the operational incidents. At the same time, we would welcome further clarification and examples of the cases where “issues affecting the initiation and/or processing of transactions may be rectified within a period shorter than one hour but the overall unavailability of the PSPs’ services to the payment service user is longer than two hours”.
Yes, we agree. At the same time, we would also welcome some clarification on how and when PSPs should consider that the criterion “Breach of security measures” is triggered. Would this be at the same level as in ECB’s cyber incident reporting?
Yes, we agree.
Since major incident reporting is a manual process, we are satisfied with the current solution. As of the current process, other formats than MS Excel are therefore not relevant.
However, if further standardisation of files for submission would lead to possible automation possibilities, we would be open for discussing the introduction of more efficient tools and approaches as well.
Yes, we agree.
In addition, we would appreciate a further explanation on the meaning of the following expression: “the 4-hour deadline for submission of the initial report as required under Guideline 2.7 applies from the moment of classification of the incident (and not the detection of the incident). We would especially encourage a more detailed definition of “classification”.
Overall, we agree. We are supportive of the proposed categories and sub-categories of incidents and the terminology used. Nevertheless, we do not consider that the terms and categories are well defined. Indeed, a relevant part of the definitions provided by the EBA is based on examples (e.g. see page 45 of the Consultation Paper). We believe it is necessary that the EBA provides more precise and unambiguous definitions in order to make sure incidents are properly categorized in practice.
Additionally, we think there is a need for further clarifications:
• On the exact scope of the sub-category “Information context security”.
• Regarding the above-mentioned Point d.) of Deficiencies in the reporting process: we understand that the requirement is not to leave any fields blank in the report. In case the respective field does not apply or is not relevant for the article – is there a preference how to indicate that (eg: n.a/u.a.)? Otherwise, we suggest to add said option to the list.
We would also like to propose to make optional the field “Assessment of the effectiveness of the actions taken” in the template of the final report. It is very time consuming to get the requested information on time and this may entail the inability/impossibility to respect the deadline.
Finally, financial institutions are obliged to be compliant to various reporting obligations, e.g. the “ECB Reporting for significant cyber incidents” reporting scheme. Each reporting obligation is using different classification schemes of incidents, which makes it difficult to reflect in incident management processes and tools. Further harmonisation between the EBA and ECB reporting obligations would be highly appreciated.