FINMA'S EMPIRICAL FINDINGS FROM ITS CYBER RISK SUPERVISION
FINMA employs a variety of tools in its supervision of cyber risks. These include regular risk assessments, on-site and in-depth reviews and scenario-based cyber exercises. Through these tools, FINMA obtains a detailed picture of the cyber risk management and resilience of institutions under its supervision and identifies best practices and areas for improvement.
The newly published Cyber Risk-Guidance summarises key findings from FINMA's supervisory activity in the past years, highlighting recurrent shortcomings.
OUTSOURCING
FINMA has observed an increase in successful attacks on the supply chains of supervised institutions, which accounted for over 50% of all attacks in recent years. FINMA found that these attacks succeeded due to unclear cyber security requirements for service providers and a failure by supervised institutions to audit or at least regularly assess these requirements.
Very often supervised institutions did not have a full inventory of their service providers and failed in many cases to define clearly what constitutes critical data for them. This made it difficult to classify the service providers appropriately and to determine the control measures.
GOVERNANCE AND IDENTIFICATION
FINMA has also oberserved that governance in dealing with cyber risks is a further critical issue. Cyber risks were often treated as a purely technical problem and did not receive the necessary priority at management or board level. FINMA has therefore defined the responsibilities for governing bodies and management in its revised circular 2023/1 "Operational Risks and Resilience – Banks" which came into force on 1 January 2024.
The Cyber Risk-Guidance also notes other common weaknesses in the governance of cyber risks, such as the lack of clear separation between the operational management of cyber risk and the independent control function, the inadequate identification of the institution-specific cyber risk threat landscape, the failure to integrate cyber risks into the overall management of operational risks and the insufficient definition of cyber risks and their corresponding risk appetite and tolerance.
PROTECTIVE MEASURES
FINMA has noted a positive trend in the measures taken by supervised institutions to protect themselves, particularly with regard to defence against distributed denial-of service attacks (DDoS) and setting up data backup and recovery guidelines and processes.
However, FINMA also identified significant vulnerabilities, such as the limited scope of data loss prevention (DLP) measures, the lack of testing of backup and recovery processes in case of a serious cyber attack (e.g., a ransomware attack) and insufficient cyber training and awareness among staff at all hierarchical levels.
DETECTION, RESPONSE AND RESTORATION
The ability to identify, detect and respond to cyber attacks in a timely manner is a focus of most of FINMA's cyber risk on-site reviews.
During these reviews, FINMA observed the following recurring patterns among the supervised institutions: some of them had no or incomplete response plans for cyber incidents or did not test them for their effectiveness, some of them did not monitor their IT and communications technology systematically and promptly, and some of them lacked specific recovery measures after cyber attacks.
CLARIFICATIONS ON FINMA GUIDANCE 05/2020
Following several enquiries from supervised institutions, FINMA also provides in the Cyber Risk-Guidance some clarification on the interpretation of FINMA Guidance 05/2020 regarding the cyber attack reporting duty under art. 29 para. 2 of the Financial Market Supervision Act (FINMASA).
REPORTING, PRIORITY AND DEADLINE CALCULATION
Within 24 hours of discovering a cyber attack, supervised institutions are expected to make an initial assessment of the attack's criticality and, if required, must submit an initial report to FINMA. Notification can be made via email, telephone or other suitable means. A completed form in the web-based survey and application platform (EHP) provided by FINMA is not required initially. An initial report submitted to FINMA can be withdrawn at any time if the institution concludes after further investigation that the incident should not have been reported.
Institutions subject to the Information Security Act (ISA) may submit their initial report through the reporting form provided by the National Cyber Security Centre (NCSC), choosing to forward it to FINMA, if this can be done within 24 hours.
A completed form in the EHP must be submitted within 72 hours.
In addition, FINMA made it clear that meeting the 24-hour deadline takes precedence over completing the criticality assessment and that, while reporting deadlines are generally based on official bank working days, in case of "severe" attacks a strict 24-hour deadline applies.
To view the full article click here
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.