Technological progress and the latest trends have led to FINMA stepping up its supervision of cyber risks. These risks are monitored directly, for example through focused on-site audits by FINMA, and monitored by audit firms as part of the regulatory audit process. In addition, larger institutions are regularly reminded of the need to take appropriate precautions against cyber risks during self-assessments. The self-assessment in the second half of 2018 focused on the ability of the participating institutions to identify cyber threats arising from institution-specific vulnerabilities, perform a commensurate risk assessment and define countermeasures (threat intelligence).
The outcome of the self-assessment was that most of the participating institutions had made adequate provision for those risks. Moreover, in so doing they focus on the identification of threats and vulnerabilities affecting critical systems and sensitive data.
However, some institutions do need to improve, especially when identifying their vulnerable areas. At the same time, the threat situation keeps growing dynamically so that supervised institutions have to continually adjust and improve their repertoire of countermeasures. The approach of supervised institutions to cyber risks will remain a central challenge for prudential supervision going forward.
(From the Annual Report 2019)