OM-5.5.60
The comprehensive cyber security incident report referred to in Paragraph OM-5.5.58 should include the following details:
(a) Date and time of discovery of the incident;
(b) Time elapsed from detection to restoration of critical services;
(c) Who discovered the incident (e.g. third-party service provider, customer, employee);
(d) Type of cyber incident (e.g. DDoS, malware, intrusion/unauthorised access, hardware/firmware failure, system software bugs;)
(e) Impact of the incident (e.g. impact to availability of services, loss of confidential information) including financial, legal and reputational impact and to which group of stakeholders (e.g. retail and corporate customers, settlement institutions, service providers);
(f) Affected systems and technical details of the incident (e.g. source IP address and post, IOCs, tactics, techniques, procedures (TTPs));
(g) Root cause analysis; and
(h) Actions taken:
• Escalation steps taken;
• Stakeholders informed;
• Response and recovery activities;
• Lessons learnt.
Added: July 2021