Portugal's Insurance and Pension Funds Supervisory Authority updates cyber incident reporting template and instructions from April 2025

Portugal's Insurance and Pension Funds Supervisory Authority (ASF) published revisions to the file and reporting instructions for the monthly “Cyber incidents” report that Portuguese insurers, reinsurers and pension fund management companies must submit within 20 days after each month-end. The changes are intended to increase the quality and granularity of data collected to support monitoring and mitigation of cyber risk and to promote consistent reporting practices across supervised entities. The revised template adds new fields to capture whether an incident was already reported as severe, an internal incident code and the target system, as well as operational impact grading, system downtime and time-to-detect, time-to-mitigate and time-to-resolve metrics. It removes the “systemic impact” field, introduces separate fields for ongoing management expenses and extraordinary expenses to detail economic impact, and adds an additional worksheet for incidents previously reported as “in the process of resolution”. The reporting instructions are expanded and clarified, including updates to scope and the definition of cyber incidents, an updated classification taxonomy and illustrative examples. The updated file and instructions apply to cyber incident reporting due from 20 April 2025, covering the preceding month.