ANNEX I
TEMPLATES FOR THE REPORTING OF MAJOR INCIDENTS
|
Number of field |
Data field |
|
|
General information about the financial entity |
||
|
1.1 |
Type of submission |
|
|
1.2 |
Name of the entity submitting the report |
|
|
1.3 |
Identification code of the entity submitting the report |
|
|
1.4 |
Type of financial entity affected |
|
|
1.5 |
Name of the financial entity affected |
|
|
1.6 |
LEI code of the financial entity affected |
|
|
1.7 |
Primary contact person name |
|
|
1.8 |
Primary contact person email |
|
|
1.9 |
Primary contact person telephone |
|
|
1.10 |
Second contact person name |
|
|
1.11 |
Second contact person email |
|
|
1.12 |
Second contact person telephone |
|
|
1.13 |
Name of the ultimate parent undertaking |
|
|
1.14 |
LEI code of the ultimate parent undertaking |
|
|
1.15 |
Reporting currency |
|
|
Content of the initial notification |
||
|
2.1 |
Incident reference code assigned by the financial entity |
|
|
2.2 |
Date and time of detection of the major ICT-related incident |
|
|
2.3 |
Date and time of classification of the ICT-related incident as major |
|
|
2.4 |
Description of the major ICT-related incident |
|
|
2.5 |
Classification criteria that triggered the incident report |
|
|
2.6 |
Materiality thresholds for the classification criterion ‘Geographical spread’ |
|
|
2.7 |
Discovery of the major ICT-related incident |
|
|
2.8 |
Indication whether the major ICT-related incident originates from a third-party provider or another financial entity |
|
|
2.9 |
Activation of business continuity plan, if activated |
|
|
2.10 |
Other relevant information |
|
|
Content of the intermediate report |
||
|
3.1 |
Incident reference code provided by the competent authority |
|
|
3.2 |
Date and time of occurrence of the major ICT-related incident |
|
|
3.3 |
Date and time when services, activities or operations have been recovered |
|
|
3.4 |
Number of clients affected |
|
|
3.5 |
Percentage of clients affected |
|
|
3.6 |
Number of financial counterparts affected |
|
|
3.7 |
Percentage of financial counterparts affected |
|
|
3.8 |
Impact on relevant clients or financial counterparts |
|
|
3.9 |
Number of affected transactions |
|
|
3.10 |
Percentage of affected transactions |
|
|
3.11 |
Value of affected transactions |
|
|
3.12 |
Information on whether the numbers are actual or estimates, or whether there has not been any impact |
|
|
3.13 |
Reputational impact |
|
|
3.14 |
Contextual information about the reputational impact |
|
|
3.15 |
Duration of the major ICT-related incident |
|
|
3.16 |
Service downtime |
|
|
3.17 |
Information on whether the numbers for duration and service downtime are actual or estimates. |
|
|
3.18 |
Types of impact in the Member States |
|
|
3.19 |
Description of how the major ICT-related incident has an impact in other Member States |
|
|
3.20 |
Materiality thresholds for the classification criterion ‘Data losses’ |
|
|
3.21 |
Description of the data losses |
|
|
3.22 |
Classification criterion ‘Critical services affected’ |
|
|
3.23 |
Type of the major ICT-related incident |
|
|
3.24 |
Other types of incidents |
|
|
3.25 |
Threats and techniques used by the threat actor |
|
|
3.26 |
Other types of techniques |
|
|
3.27 |
Information about affected functional areas and business processes |
|
|
3.28 |
Affected infrastructure components supporting business processes |
|
|
3.29 |
Information about affected infrastructure components supporting business processes |
|
|
3.30 |
Impact on the financial interest of clients |
|
|
3.31 |
Reporting to other authorities |
|
|
3.32 |
Specification of ‘other’ authorities |
|
|
3.33 |
Temporary actions/measures taken or planned to be taken to recover from the incident |
|
|
3.34 |
Description of any temporary actions and measures taken or planned to be taken to recover from the incident |
|
|
3.35 |
Indicators of compromise |
|
|
Content of the final report |
||
|
4.1 |
High-level classification of root causes of the incident |
|
|
4.2 |
Detailed classification of root causes of the incident |
|
|
4.3 |
Additional classification of root causes of the incident |
|
|
4.4 |
Other types of root cause types |
|
|
4.5 |
Information about the root causes of the incident |
|
|
4.6 |
Incident resolution summary |
|
|
4.7 |
Date and time when the incident root cause was addressed |
|
|
4.8 |
Date and time when the incident was resolved |
|
|
4.9 |
Information if the permanent resolution date of the incident differs from the initially planned implementation date |
|
|
4.10 |
Assessment of risk to critical functions for resolution purposes |
|
|
4.11 |
Information relevant for resolution authorities |
|
|
4.12 |
Materiality threshold for the classification criterion ‘Economic impact’ |
|
|
4.13 |
Amount of gross direct and indirect costs and losses |
|
|
4.14 |
Amount of financial recoveries |
|
|
4.15 |
Information on whether the non-major incidents have been recurring |
|
|
4.16 |
Date and time of occurrence of recurring incidents |
|