As part of the revision of FINMA Circular 08/21 “Operational risks – banks”, FINMA decided to expand its provisions on technological infrastructure by including critical aspects of dealing with cyber risks. The Circular requires banks and securities dealers to adopt an integrated and systematic approach to countering threats from the virtual world. The approach must include specific measures for governance, identification, protection, detection, response and recovery of threatened systems and services in connection with cyber risks and attacks.
FINMA also undertook an assessment of specific banks’ measures to counter cyber attacks. This included ordering banks in Supervisory Categories 1 and 2 to carry out additional cyber risk audits. FINMA also asked banks in Supervisory Category 3 to take part in a self-assessment of their implementation of cyber attack countermeasures. Both the audits and the self-assessment focused on the critical aspects of cyber risks as set out in the revised implementing provisions.
The additional audits highlighted continuing deficits, in particular relating to the identification of potential cyber threats and protective measures. Based on these findings, the banks concerned took further steps to increase their resilience.
The self-assessment was designed to ascertain the progress in implementing measures to combat cyber risks, and to raise awareness of the critical aspects among banks in Supervisory Category 3.
Evaluation of the self-assessment by banks revealed wide differences: some banks rated nearly all measures as fully implemented, others almost none of them.
With regard to the critical aspects, detecting cyber attacks was one area in particular found to be needing improvement. In some cases there was a lack of measures to deal with more complex threat scenarios; in others the use of technical monitoring needed to be extended. However, there is also a need for action on the other critical aspects.
In summary, the additional audits and evaluation of the self-assessments revealed that as of early 2016, there was still much to be done in ensuring adequate resilience to threats from the virtual world. With the revised implementing provisions set to come into force on 1 July 2017, banks in Supervisory Categories 1 to 3 therefore initiated projects specifically to enhance their ability to withstand a cyber attack.
The self-assessment carried out in early 2016 at banks in Supervisory Category 3 revealed a need for improvements in all key aspects of dealing with cyber risks. Especially with regard to timely detection of cyber attacks, the majority of those taking part had not implemented key measures completely, if at all.
(From the Annual Report 2016)