Chapitre 4 - : Date d’application

Chapitre 4 : Date d’application 28. La présente circulaire entre en vigueur le 1er avril 2024 pour les Entités Surveillées telles que définies au point 2.a) à d) et k) à p) de la section 1.1, et le 1er juin 2024 pour les Entités Surveillées telles que définies au point 2.e) à j) de la section 1.1. La présente circulaire abrogera et remplacera la circulaire CSSF 11/504 concernant les fraudes et incidents dus à des attaques informatiques externes le 1er avril 2024 pour les Entités Surveillées telles que définies au point 2.a) à d) et k) à p) de la section 1.1, et le 1er juin 2024 pour les Entités Surveillées telles que définies au point 2.e) à j) de la section 1.1.

Claude WAMPACH Marco ZWICK Jean-Pierre FABER Directeur Directeur Directeur

Françoise KAUTHEN Claude MARX Directeur Directeur général

Annexes I. Délais et explications concernant la soumission de notifications

II. Champs de données (uniquement en anglais)

13 Règlement d’exécution (UE) 2018/151 de la Commission du 30 janvier 2018 portant modalités d'application de la directive (UE) 2016/1148 du Parlement européen et du Conseil précisant les éléments à prendre en considération par les fournisseurs de service numérique pour gérer les risques qui menacent la sécurité des réseaux et des systèmes d'information ainsi que les paramètres permettant de déterminer si un incident a un impact significatif.

Annexe I : Délais et explications concernant la soumission de notifications

Section pertinente à remplir et à Délais Notes explicatives soumettre

N/A Classification de l’incident en tant que majeur Classification de l’incident en tant que majeur

Endéans les 24 heures après la détection de Rappel du point 15 : l’incident lié aux TIC Lorsque l’incident lié aux TIC s’avère avoir ou pourrait avoir une grave incidence (par exemple, Lorsque le délai pour la classification tombe un l’indisponibilité totale des systèmes), l’Entité jour de fin de semaine ou un jour férié, les Entités Surveillée doit notifier la CSSF dès que possible Surveillées peuvent classifier l’incident le jour endéans le délai fixé et, le cas échéant, avant la ouvrable suivant. soumission formelle du formulaire de notification.

INFORMATIONS INITIALES Endéans les 4 heures après la classification de La section « INFORMATIONS INITIALES » l’incident en tant que majeur comprend les informations générales concernant

Lorsque le délai pour la notification tombe un jour l’incident qui doivent être incluses dans la

de fin de semaine ou un jour férié, les Entités notification lors de la première soumission.

Surveillées peuvent notifier l’incident le jour ouvrable suivant.

CAUSES, CLASSIFICATION ET INCIDENCE DE Endéans les 3 jours ouvrables après la La section « CAUSES, CLASSIFICATION ET L’INCIDENT soumission des INFORMATIONS INITIALES à la INCIDENCE DE L’INCIDENT » fournit une CSSF description plus détaillée de l’incident, de ses conséquences et des mesures correctives prises pour la résolution. Si l’Entité Surveillée peut mettre à jour des rapports antérieurs (concernant le même incident), une version actualisée de la section du formulaire peut être soumise.

CAUSES ORIGINELLES - SUIVI ET Endéans les 20 jours ouvrables après la La section « CAUSES ORIGINELLES - SUIVI ET INFORMATIONS COMPLÉMENTAIRES soumission à la CSSF des CAUSES, INFORMATIONS COMPLÉMENTAIRES » fournit les CLASSIFICATION ET INCIDENCE DE L’INCIDENT informations concernant l’analyse des causes originelles, les enseignements tirés et toute autre information pertinente. Lors de la soumission de ces informations, l’Entité Surveillée doit examiner les autres sections du formulaire et les mettre à jour, le cas échéant.

Annexe II : Champs de données (uniquement en anglais)

Section – Initial Information

Data Field description / Question Field type Proposed options

1. Contact person within the supervised entity for updates: Name and surname

1. Contact person within the supervised entity for updates: Email Alphanumeric (email format)

1. Contact person within the supervised entity for updates: Phone Number (telephone format)

2. Second contact person within the supervised entity for updates: Name and Alphanumeric surname

2. Second contact person within the supervised entity for updates: Email Alphanumeric (email format)

2. Second contact person within the supervised entity for updates: Phone Number (telephone format)

Choice (multiple) - Select all List of world countries 3. Country(ies) affected by the incident that apply

4. Date and time of detection of the incident yyyy-mm-dd hh:mm

yyyy-mm-dd hh:mm 5. Date and time of classification of the incident as major Choice (multiple) - Select all • Clients or financial counterparts that apply affected • Transactions affected • Reputational impact • Service downtime • Geographical spread • Data losses entailed in relation to availability, authenticity, integrity or 6. Criteria triggering the major ICT-related incident report confidentiality • Criticality of the services affected • Economic impact

Data Field description / Question Field type Proposed options

Choice (multiple) – Select • IT security one option • Staff member • Internal audit • Consumer / payment service user 7. The incident was detected by • External auditor • Third party provider • Attacker / warning • Other 7.1. If "Other", specify Alphanumeric

8. General description of the incident Alphanumeric

Provide a general description of the incident, its immediate impact and including the measures that have been taken so far

9. Short description of impact in other EU member states Alphanumeric

10. Has the incident been reported to other authorities? Boolean (Checkbox)

10.1. If checkbox was ticked, specify Alphanumeric

11. If the incident caused a service interruption, is the service restored (even Alphanumeric in degraded mode) at the time of this notification?

12. Is the incident notified under NIS (Network Information System) Boolean (Checkbox) framework?

Section – Incident cause, classification and impact

Data Field description / Question Field type Proposed options

1. Detailed description of the incident, Alphanumeric

Provide a detailed description of the incident, including (if known and/or applicable):

- How the incident started

- Background and incident detection, who was involved, what happened, how did it evolve?

2. What are the main areas/systems/channels that were affected as the incident Alphanumeric evolved?

Boolean 3. Was it related to a previous incident(s)? (Checkbox)

3.1. If checkbox was ticked, specify Alphanumeric

yyyy-mm-dd 4. Date and time of beginning of the incident - if known hh:mm

Choice (multiple) – • Group Select one option • Supervised entity • Service provider 5. Who is leading the investigation of the incident? • Security company • Other 6. Cause and type

6.1. Details regarding incident cause and type (Select all that apply). Choice (multiple) - • Under investigation Select all that apply • Malware Select at least one of the main options. Then, as applicable, select the • Social engineering subcategories • Insider/Third Party Provider Threat • Intrusion/Unauthorised access

Data Field description / Question Field type Proposed options

• Denial of service • System/Process failure • Human error • Other 6.1.1. If "Other", specify Alphanumeric

Choice (multiple) - • Malware Select all that apply o Ransomware 6.2. As applicable, select the subcategories o Trojan horse o Virus/Worm/Spyware o Other (Malware) • Social engineering o Phishing/*ishing o Other (Social engineering) • Insider/Third Party Provider Threat o Accidental data leakage/corruption o Intentional misuse of access rights by insider o Intentional misuse of access rights by service provider o Other (Insider/Third Party Provider Threat) • Intrusion/Unauthorised access o Brute force attack o Malicious script injection and/or OS commanding o Unauthorized use of resources, copyright o Account/application compromise o Other exploited vulnerability o Other (Intrusion/Unauthorised access) • Denial of service • System/Process failure o Hardware failure o Software/application failure o Network failure o Database/Storage failure o Physical damage o Other (System/Process failure)

Data Field description / Question Field type Proposed options

Choice (multiple) - • Terrorists 7. If this incident is related to a cyber-attack, provide information regarding the Select all that apply • Hacktivists attacker(s) (select all that apply) • Foreign agencies • Inside job/Unaware employee • Unknown • Other 7.1. If "Other", specify Alphanumeric

8.1. Number of internal users impacted Numeric

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 8.1.1. As a % total internal users (values allowed from 0 to 100, rounded, no Numeric decimals, percentage sign not allowed)

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 8.2. Number of customers impacted Numeric

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 8.2.1. As a % total customers (values allowed from 0 to 100, rounded, no decimals, Numeric percentage sign not allowed)

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available

Data Field description / Question Field type Proposed options

Boolean 9. Service downtime? (Checkbox)

Alphanumeric 9.1. If checkbox was ticked, provide the total service downtime (DD:HH:MM) (DD:HH:MM)

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 10. Economic impact

10.1. Direct financial loss in EUR Numeric

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 10.2. Indirect financial loss in EUR Numeric

Choice (multiple) – • Actual figure Actual or estimated Select one option • Estimation • Not yet available 11. Were crisis management (or equivalent) procedures activated or is it likely to Boolean be activated? (Checkbox)

11.1. If checkbox was ticked, specify the actions taken Alphanumeric

Boolean 12. Were any legal or regulatory requirements breached? (Checkbox)

12.1. If checkbox was ticked, specify Alphanumeric

Boolean 13. Was there any media coverage? (Checkbox)

13.1. If checkbox was ticked, specify the media/newspapers/blogs that covered Alphanumeric the topic

Data Field description / Question Field type Proposed options

14. Overall impact (select all that apply) Choice (multiple) - • Integrity Select all that apply • Availability • Confidentiality • Reputational Choice (multiple) – • Directly 15. Was the incident affecting you directly, or indirectly through a service provider? Select one option • Indirectly

15.1. If "Indirectly", specify the service provider's name Alphanumeric

16. Other impacts Alphanumeric

17. Corrective actions/measures that have been taken so far or are planned to Alphanumeric recover from the incident

Boolean 18. Was a business continuity plan activated? If yes, when and how? (Checkbox)

yyyy-mm-dd 18.1. Date and time hh:mm

18.2. Describe Alphanumeric

Boolean 19. Was a disaster recovery plan activated? If yes, when and how? (Checkbox)

yyyy-mm-dd 19.1. Date and time hh:mm

19.2. Describe Alphanumeric

20. Is the incident in any way related to remote access (e.g., teleworking, remote Boolean connectivity, etc.)? (Checkbox)

20.1. If checkbox was ticked, specify Alphanumeric

Section - Root cause, follow-up and additional information

Data Field description / Question Field type Proposed options

1. Additional information Alphanumeric

Provide details regarding the following: Lessons learned (including main actions/measures taken/planned to prevent the incident from happening again in the future)

2. Root cause and/or Vulnerabilities/weaknesses identified Choice (multiple) – • Inadequate Change Management (select all that apply) Select all that apply • Migration failure • Inadequacy of internal procedures and documentation • Improper operations • Latency issues • Recovery issues • Lack of staff awareness and/or compliance • Unauthorised software/wrong version • Inadequate privileged account management • Inadequate email/web browser protection • Inadequate malware defences • Inadequate identity access management • Inadequate security configurations for secure hardware and software on devices, laptops, workstations, servers • Inadequate boundary defences • Inadequate control of network ports, protocols and services • Inadequate resilience and/or back-up of systems or files • Unsecured network devices (firewalls, routers, switches) • Inadequate maintenance and monitoring of logs • Inadequate DDoS defences • Inadequate penetration and security testing • Inadequate patch management • Inadequate application software security controls (web- based and other applications) • Other

Data Field description / Question Field type Proposed options

2.1. If "Other", specify Alphanumeric

3. Other relevant information on the root cause (e.g., What Alphanumeric went wrong with the change, New technical vulnerability exploited, etc.)

Choice (multiple) – • Website 4. If this incident is related to a cyber-attack, what was the Select all that apply • Instant messaging entry vector of the incident? (select all that apply) • Phone • Insider attack (privileged user) • E-mail • Third party network • Unauthorised devices • Insider attack (regular / business users) • Lost / stolen devices • Chat rooms / social media • Other 4.1. If "Other", specify Alphanumeric

5. Who is leading the remediation actions? Choice (multiple) – • Group Select one option • Supervised entity • Service provider • Security company • Other 5.1. If "Other", specify Alphanumeric

6. Are Police/other security agencies involved in the Choice (multiple) – • Police investigation? Select one option • Other • None 6.1. If "Other", specify Alphanumeric

7. If the incident is related to ICT security, was the incident Boolean (Checkbox) reported to the national CERT (e.g., CIRCL, GOVCERT)?

8. Has any legal action been taken (e.g., complaint with Boolean (Checkbox) prosecutor against provider or perpetrator)?

Data Field description / Question Field type Proposed options

8.1. If checkbox was ticked, specify Alphanumeric

9. Assessment of the effectiveness of the action taken Choice (multiple) – • Highly effective Select one option • Moderately effective • Not effective • Not yet available 9.1. Details Alphanumeric

10. What is the current status of the incident? Choice (multiple) – • Resolved Select one option • Contained • Ongoing • Unknown 10.1. Provide the date and time when then incident was closed yyyy-mm-dd hh:mm or is expected to be closed if known