On 8 December 2023, the three European Supervisory Authorities (EBA, EIOPA and ESMA) published and opened a consultation until 4 March 2024 on the Joint Guidelines on the estimation of aggregated annual costs and losses caused by major ICT-related incidents. The guidelines aim to harmonise how financial entities estimate and report aggregated costs and losses from major ICT incidents to competent authorities upon request. They propose adopting the same approach for assessing gross and net costs/losses as the related technical standards on incident classification and reporting in order to promote consistency and reduce reporting burden. The proposed reference period for aggregation is the financial entity's accounting year to allow for the use of validated financial statement figures and provisions, ensuring data quality and coherence over time. The aggregation should cover all major incidents where the final incident report was submitted in that accounting year, or that had a financial impact reflected in that year's statements in order to capture the full impact over time. Reported figures should break down costs and losses by individual major incidents rather than just the aggregate in order to provide more meaningful information to authorities. A template is provided to report the aggregated and per-incident gross costs, recoveries and net costs/losses.
Original source