BITS, the technology policy division of the Bank Policy Institute (BPI), has expressed support for the Financial Stability Board's initiative to create a standardized global framework for cyber incident reporting. The "Format for Incident Reporting Exchange" aims to enhance coordination between regulators and the private sector by making data requirements more consistent across different regions.

Patrick Warren, Vice President of Regulatory Technology for BITS, stated, "BPI welcomes the FSB’s effort to develop a more uniform framework for cyber incident reporting." He highlighted that the current diverse requirements divert significant resources from threat response to compliance paperwork, which stretches banks' cybersecurity resources thin and complicates recovery efforts.

Currently, U.S. financial institutions must comply with up to ten distinct cyber incident reporting obligations, each with varying thresholds, timelines, and information requirements. For instance, once CISA finalizes its rule under the Cyber Incident Reporting for Critical Infrastructure Act, U.S. banks facing a cyber incident will need to follow specific reporting timelines: 36 hours for primary banking regulators and the Federal Housing Administration; 48 hours for Ginnie Mae; 72 hours for the Cybersecurity and Infrastructure Security Agency; and four days for the Securities and Exchange Commission.

Beyond federal obligations, banks also face a variety of state-level data breach and privacy laws in addition to international regulations like the European Union's General Data Protection Regulation (GDPR).

The existing inconsistency places a substantial burden on frontline defenders by diverting them from essential security functions. A recent survey among BPI members indicated that financial institutions report their cyber teams spend over 70% of their time on regulatory compliance activities. Similarly, Chief Information Security Officers or equivalent senior leaders reported spending 30-50% of their time managing compliance-related tasks.

The deadline for comments is December 19, 2024. The FSB will review these comments before producing optional recommendations for regulatory authorities worldwide.

The Bank Policy Institute represents universal banks, regional banks, and major foreign banks operating in the United States. It engages in public policy research and advocacy related to regulatory issues including cybersecurity.