Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Regulatory demands around how security incidents are handled are increasing in several areas. One of the main, and most pressing (oppressing?) sets of requirements comes from GDPR, but PSD2 also has a set of standards.
The GDPR regulation imposes a 72 hour time limit for breaches to be notified to the regulator (where they qualify as being serious enough) and then the information passed on to affected customers/citizens/users “without undue delay”. See our other blog posts here, here and here.
The PSD regulations have requirements in this regard also. Clearly in the finance and payments world there is (a) a lot of personal data kicking about and (b) the impacts of a security and fraud breach can get very expensive very quickly.
Under PSD2 (which is an EU directive) the requirements for security have been defined by the European Banking Authority (EBA). We covered the wider security obligations here (link to above post) but the incident reporting requirements are available.
The EBA Guidelines on“Major Incident Reporting” provide further detail on the method and timescales for major incidents (e.g. widespread fraud or significant data losses) to be reported. These are structured as below:
The main areas that security teams should pay attention to are the classification process in Guideline 1 and the notification process in Guideline 2.
The classification process defines criteria for whether an incident is minor or major – and hence how it is handled, then there is a reporting process with defined stages and aggressive timelines. This will stretch security teams even further with the addition of GDPR requirements in the same timeframe.
The incident classification process is based on higher and lower impact criteria. These are used, as per the diagram below to define the severity.
The criteria are then based on the corresponding impacts in respect of a number of areas. These are:
The initial requirement is to provide a high-level set of details on who is reporting the incident, how it was detected and a short description of the nature of the incident and the time when an update will be issued. See form excerpt below.
The initial incident report template.
In many ways this is a placeholder – a communication channel with the upfront circumstances and the points of contact so that future communications and escalation/investigation can be coordinated
As the investigation into a breach, loss or fraud progresses (potentially becoming both wider and deeper in its scope) there is a mechanism for interim reports on a 3-business day basis (or earlier if possible).
This is a more in-depth analysis report, regularly refreshed, that covers the incident details, classification and description, the impact and mitigations.
The content of this report is defined in another template form which we have reproduced below. However clearly as the investigation progresses any scant initial details are going to need to be fleshed out and the “more DETAILED description” box at the top is going to have to be filled up!
Part of the PSD2 / EBA Interim report form
The close-down report for an incident is expected two weeks after the business is ‘back to normal’.
The final report includes the root cause analysis and follow-up recommendations. At a point before any legal/criminal processes have even commenced and before the final monetary costs of making redress are fully known – the reality of this is it that it will have to be limited to the more technological aspects of what went wrong and what needs to be put right.
The PSD2 / EBA Final Incident report form
Four hours is a very short time in which to determine that a security incident is a major incident. Clearly in some cases this is fine – detection is immediate and automatic, but in others the results of an access violation, fraud, abnormal flow of funds or some other security situation may be less evident and less easy to initially diagnose as “a security problem”
Having three days (as per GPDR breach notification reporting requirements) to understand what is going on is also a challenge – whether you are driven by the EBA incident reporting rules or the needs of the ICO and EU GDPR. However, at least the details of what is required are defined and as such that initial window can be used to populate as much understanding as possible. While also of course dealing with customers, other service providers, retailers, the social media channels and the press!
However, with the money involved, and the knock effects on other parts of the payment, banking, retail and service networks that open banking might create – the incident handling reporting process is always going to be a challenge under Open Banking and PSD2.
The interconnectedness of systems, the range of customer interactions, the vast number of industry players of all sizes… all make for a complicated environment for security threat detection and management, incident detection, understanding, reporting and resolving.
To discover the cyber security implications of PSD2, go to our PSD2 web page.
You can also download our Infographic:
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.