91����ԭ��

The Financial Stability Board (FSB) has published its finalised Format for Incident Reporting Exchange (FIRE) in a bid to streamline cyber and operational incident reporting. 

The international body’s  is intended to address fragmentation in reporting requirements, reducing the burden on firms that operate across multiple jurisdictions.

In a media statement, the FSB said that the ability to respond swiftly and effectively to operational incidents, particularly cyber incidents, is more critical than ever in a time of heightened cyber risks and increasing reliance on technology and third-party services. 

“FIRE demonstrates how international regulatory cooperation can deliver benefits for all stakeholders,” said Klaas Knot, Dutch Central Bank chief and chair of the FSB. 

“It also highlights the value of public-private partnerships in tackling shared challenges, such as those related to cyber and operational resilience.”

Reducing operational burden

By standardising key information elements, FIRE is anticipated to enhance cross-border cooperation and streamline communication between authorities and regulated entities.

The FIRE initiative was developed in consultation with private sector stakeholders and has been designed to be flexible and interoperable with existing reporting frameworks such as the EU’s Digital Operational Resilience Act (DORA) requirements and the UK’s Operational Resilience framework. 

“Differences in reporting approaches across jurisdictions result in fragmented requirements and coordination challenges,” the FSB said. 

“Greater harmonisation of regulatory reporting supports firms’ efficient incident response and recovery, as well as effective supervision and cooperation among authorities.”

FIRE covers a wide spectrum of operational disruptions, including cyber incidents, and can be adopted in full or in part by financial authorities. 

The framework also allows for application to third-party service providers and firms beyond the financial sector.

The finalised framework builds on the FSB’s 2023 recommendations to improve convergence in cyber incident reporting, which included an updated cyber lexicon and the conceptual groundwork for FIRE. 

The FSB also incorporated public feedback on the draft version released in October 2024, and validated the format through robustness testing with anonymised industry data.

FIRE identifies three types of reporting: institution-initiated (the most common); authority-initiated; and periodic reporting. 

It also outlines 87 standardised information fields, 39 of which are optional, to provide flexibility for implementation across different jurisdictions and use cases.