Communication

Article 14 addresses the communication dimension of ICT risk management, recognizing that how a financial entity communicates during an incident can be as important as its technical response. Poor communication can amplify the impact of an incident through panic, misinformation, and loss of confidence.

Entities must establish comprehensive communication plans that cover multiple audiences and scenarios. Internal communication must ensure rapid escalation to decision-makers and coordination across response teams. External communication must address regulators, clients, counterparts, and potentially the public, with messaging tailored to each audience's needs and expectations.

The requirement for a designated spokesperson reflects the need for consistent, authoritative communication during crises. Ad-hoc or conflicting messages from different parts of the organization undermine confidence and can create legal and regulatory exposure. The spokesperson must be trained in crisis communication and have access to accurate, timely information about the incident.

Responsible vulnerability disclosure is also addressed. When financial entities discover vulnerabilities — whether in their own systems or in shared infrastructure — they must have processes for appropriate disclosure that balance transparency with the need to prevent exploitation. This is particularly relevant in the interconnected financial ecosystem where a vulnerability in one entity may affect many others.