FERMA Calls for Streamlined Cyber-Incident Reporting in New "Cyber Reporting Stack" Report

The European Union's (EU) introduction of cyber-incident reporting regulations aims to protect businesses and their customers, but it has also added complexity to an already intricate legal framework. Recognizing these challenges, the Federation of European Risk Management Associations (FERMA), in collaboration with WTW, released the Cyber Reporting Stack: Navigating the EU Requirements report. This report provides guidance to help risk managers navigate the evolving regulatory landscape and highlights the need for streamlined processes to reduce the burden on businesses.

The report covers significant EU regulations, including the General Data Protection Regulation (GDPR), Network and Information Security Directives (NIS1 and NIS2), the Digital Operational Resilience Act (DORA), and the upcoming Cyber Resilience Act (CRA). These regulations impose a variety of reporting obligations on businesses, and FERMA argues that the increasing overlap of these requirements calls for a more streamlined, efficient system.

Regulatory Landscape Overview

The GDPR, which came into effect in 2018, mandates that companies notify authorities of personal data breaches within 72 hours. The NIS1 directive, in force since 2016, requires operators of essential services to report incidents that disrupt service continuity.

New regulations are also on the horizon. The NIS2 directive, effective in October 2024, broadens NIS1's scope to cover more entities and introduces stricter reporting timelines. Meanwhile, DORA, which will come into effect in January 2025, targets the financial services sector, imposing specific requirements for managing information and communication technology risks and reporting major incidents.

The upcoming CRA, anticipated later in 2024, will mandate cyber-security standards for manufacturers and retailers of digital products. Noncompliance could result in severe penalties, making it essential for companies to adopt robust reporting strategies.

FERMA's Recommendations: Simplification and Single Point of Entry

Given the regulatory complexity, FERMA advocates for a more coordinated approach to cyber-incident reporting across the EU. Currently, businesses must notify multiple authorities, such as data protection authorities, cyber-security incident response teams, and sector-specific regulators. This fragmentation, with varying timelines and formats, creates an administrative burden.

Charlotte Hedemark, president of FERMA, emphasized, "FERMA believes companies need a more streamlined and consistent set of requirements when it comes to reporting on cyber incidents. This reporting should help EU authorities, businesses, and citizens to better understand the cyber threat—but this will only work if it's easy, safe, and secure for companies to provide information."

As part of its recommendations, FERMA suggests creating a "single point of entry" for cyber incident notifications across EU member states. This would simplify the process and reduce the administrative load on businesses. FERMA further proposes that the European Commission collaborate with stakeholders to streamline processes and reduce the number of entities involved in cyber reporting.

Insurance and Risk Transfer Implications

The report also highlights the importance of considering insurance implications in cyber reporting. Philippe Cotelle, chair of FERMA's Digital Committee, pointed out, "We are acutely aware that while risk management plays a vital role in building resilience to, and recovery from, [cyber attacks], there are no regulations that give technical specifications of what risk management measures organizations should take, nor are there any that consider the insurance implications."

FERMA urges the European Commission to consider the insurance and risk transfer implications when drafting future cyber-related legislation. The report also advocates for collaboration between the European Union Agency for Cybersecurity, the European Cybersecurity Competence Centre, and the risk management community to develop best practices, especially for small- and medium-sized enterprises.

The Role of Risk Managers

The report advises risk managers to adopt a proactive approach to cyber-incident management. This involves ensuring organizations have the necessary measures to identify, assess, mitigate, and respond to cyber risks. Risk managers should work closely with chief information security officers, data protection officers, and internal audit teams to manage compliance.

Laure Zicry, head of FINEX Cyber for Western Europe at WTW, reinforced this point, "The role of the risk manager is crucial to guarantee that all risks have been properly identified and that the best mitigation strategies have been adopted."

FERMA also encourages risk managers to promote regular "table-top exercises" to simulate cyber incidents. These exercises can significantly improve an organization's readiness to manage cyber threats. In the WTW survey referenced in the report, organizations that conducted such exercises were found to be significantly better prepared to manage cyber incidents.

Practical Guidance and Case Studies

The report includes practical guidance and case studies to help risk managers navigate the complex reporting requirements. These examples cover scenarios such as ransomware attacks on critical infrastructure, data breaches in financial institutions, and software supply chain attacks. Each case outlines the specific reporting obligations, potential penalties for noncompliance, and relevant insurance considerations.

For instance, a ransomware attack on a healthcare organization would trigger reporting obligations under both NIS1 and GDPR. Failure to comply could result in significant fines, and the report underscores the importance of documenting reporting processes to ensure compliance.

The Cyber Reporting Stack: Navigating the EU Requirements report is available here.