Austrian Federal Economic Chamber, Division Bank and Insurance

In general we want to emphasise that it ist important to align the incident reporting of the EBA and the ECB.
An internationally standardised form and aligned reporting requirements are necessary for a proportionate and effective implementation.

The definitions are pretty clear and valid. Just in case of availibility the definition „authorized clients is not clear. We ask to provide a more narrow definition."
They are sufficient clear. But in case of clients affected it would be also useful when there is also a segmentation of clients which should be provided. Service downtime and the economic impact should not be required mandatory, just as a best effort. Transaction affected - what does regular level of transaction mean? How should we calculate and define a regular level of transaction for which period etc?

In addition to the incident categories, an alignment of the incident details to be reported, the report-triggering criteria and the report formats would make sense. For example, the current ECB Cyber-Incident Excel report template has about 100 fields that must be filled out at the time of incident solution / cleanup. If no such adjustment is made, in future institutions have to report to two EU finance authorities differently.
For the current situation yes, it should cover all of them. But from a future perspective we should take into account a development in technology etc. This guideline should be revised based on this consideration.
We are missing third party providers, or we could put directly in the template the definitions coming from PSD 2 (AISP, PIS). We would like to bring up different thresholds for retail and corporate clients for discussion.
Yes, in principle sufficiently clear.
Nonetheless we believe that the draft report is too detailed. We suggest that the following information should be requested in one form: => What happened (description)? => What criteria at what level the incident had? => What measures have been/will be initiated? => When is the solution / elucidation of the incident to be expected? => Which authority was informed by whom, when and how?
Yes, the instructions are generally clear. Presumably, these data are not yet known or available in the short predetermined time. We need a clear definition of reputation". In addition they should be extended taking into account our answers to Q 1 and 2."
In our opinion, the deadlines are far too short and the interruption is too tight. In particular, in connection with the initial report, the available resources will be bound to contain and remedy the incident. We propose the following deadlines:

• Initial report: This report shuld deal with the following questions: What happened? What is the level of the incident? What action has been taken? This should be done within 2 days after the incident becomes known.
• Interim report: From our point of view, this is not necessary because it does not seem to bring any added value, but it takes time and resources.
• Final report: After the incident has been solved, a more comprehensive report should be made. This should be done within 2 weeks after business normalised again.

To date, a security incident involving personal data must also be reported as a Data Breach Notification Duty. It should therefore be ensured that one of the two messages is omitted, otherwise the incident would have to be reported twice. At least the reporting of such incidents should be harmonised, to avoid multiple reporting to different authorities through different forms.

Competent authorities should also have deadlines, because after they receive a report they have to act and undertake actions based on the content and seriousness. Two hours might be a long time for some kind of attacts.
Yes, it could be valueable for institutions which centralize some functions at a group level.
Yes, this is useful. The consolidate reporting will bring added value if it is timely and effectively shared.

It may be necessary to establish a timeframe within the guideline, eg. a report is to be provided describing several operations or security incidents within a calendar year.
What is the consolidated reporting procedure"?
(A) within a given period, eg. a quarter, all safety and operational incidents should be reported, or
(B) is this consolidated notification an additional notification of all incidents?
We advocate a) in the interval of a quarter.

Open questions:
• What happens to the incidents? Who processes them? For what information? Where are they stored? Who has access to this data?
• Overall - what is the purpose of these provisions?"
Austrian Federal Economic Chamber, Division Bank and Insurance