On 7 June 2024 FINMA published guidance on its findings from its cyber risk supervision and related topics. The guidance sheds further light on FINMA's approach to cyber risks and is essential reading for any regulated entity as it provides specific information on how to manage those risks.
FINMA Findings and Expectations
FINMA reminds readers that cyber risks have for many years been listed in its annual Risk Monitor and that reports of successful or partly successful cyber-attacks increases every year. It further published recommendations on a range of topics:
- Outsourcing: FINMA has made supervision of regulated institutions' supply chain cyber risks a focus of its activities as more than 50% of successful attacks happen via that vector. It also ties in with a broader focus FINMA has been placing on outsourcing in the last number of years. When supervised institutions outsource a significant function, the service provider (including subcontractors) must adhere to the same regulatory standards as the institution. Institutions always retain ultimate responsibility for meeting supervisory requirements.
- Governance and identification: While many institutions struggled to identify their unique cyber risk threat landscape, medium-sized institutions often also lacked a clear separation between the operational management of cyber risk and an independent control body. Additionally, lack of centralized authorization tools often left it unclear which staff members had access to critical data.
- Protective measures: Data loss prevention measures were often limited to safeguarding customer identification information and credit card numbers, often neglecting other critical data such as sensitive personal information and intellectual property. FINMA also noted that there is room for improvement in employee cyber training and awareness. While it is crucial for all institutions to simulate scenarios where an attacker bypasses protective measures, specific requirements apply to institutions governed by Circular 2023/01 on operational risks and resilience.
- Detection, response and restoration: Some institutions either lack comprehensive response plans for cyber incidents or fail to review their effectiveness, while many do not promptly and systematically monitor their ICT. Developing and testing realistic response plans is crucial for effectively managing cyber-attacks. It is imperative to promptly draw lessons and implement improvements following a successful attack.
Clarifications
FINMA has received a number of enquiries about how its Guidance 05/2020 on the duty to report cyber-attacks should be interpreted. It used the opportunity to clarify several points in the current guidance. More information on the guidance generally can be found in our blog post Cyber-Security Obligations for Financial Services Providers in Switzerland here.
Conclusion
Regulated entities should carefully review the new guidance and ensure that its findings are applied across their organizations, remediating any areas that might not be fully compliant with FINMA's expectations. While outsourcing may improve cybersecurity by choosing best-in-class service providers, it may also substantially increase risks as experience shows. It is therefore key to adopt an appropriate risk management framework and to reinforce the operational resilience of the outsourced functions. This requires that banks continue to keep sufficient know how regarding the outsourced functions to be able to analyze and monitor the provision of services. We will continue to publish updates on the area of cyber security and financial services.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.