Improving Data for Managing Cyber Risk and Building Resilience

Gaps in the data available for assessing cyber risk have limited the development of metrics that would help the public and private sectors prevent and recover from cyberattacks and reduce systemic risk. Cyber incident disclosure rules, introduced to close the data gaps, help but fall short in supporting the effective management of cyber risk. This article examines current and proposed reporting requirements, especially in the financial sector, where they are the most advanced. It describes the data gaps that remain and discusses how moving toward a better and harmonized cyber incident data collection rule could improve cybersecurity and reduce the risk of catastrophic cyber incidents.