European Union: Closed consultation on Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents

On 4 March 2024, the three European Supervisory Authorities (EBA, EIOPA and ESMA) closed their consultation on the draft Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines aim to harmonise how financial entities estimate and report aggregated costs and losses from major ICT incidents to competent authorities upon request. They propose adopting the same approach for assessing gross and net costs/losses as the related technical standards on incident classification and reporting in order to promote consistency and reduce reporting burden. The proposed reference period for aggregation is the financial entity's accounting year to allow for the use of validated financial statement figures and provisions, ensuring data quality and coherence over time. The aggregation should cover all major incidents where the final incident report was submitted in that accounting year or that had a financial impact reflected in that year's statements, in order to capture the full impact over time. Reported figures should break down costs and losses by individual major incident, rather than just the aggregate, in order to provide more meaningful information to authorities. A template is provided to report the aggregated and per-incident gross costs, recoveries and net costs/losses.