Cyber risks and outsourcing (2024)
In addition to the regular audits conducted by external audit firms, FINMA carried out more than a dozen cyber-specific on-site supervisory reviews. These reviews were primarily based on FINMA Circular 2023/1 “Operational risks and resilience – banks”, which entered into force on 1 January 2024. It contains updated requirements on the management of cyber risks, particularly in relation to the handling of scenario-based cyber risk exercises. FINMA had already published its Guidance 05/2020 on the issue of cyber risks in 2020. In its new Guidance 03/2024, FINMA noted the findings from the supervisory work on cyber risk management and specified the process to be followed in connection with cyber incidents and the handling of scenario-based cyber risk exercises.
The number of reports received by FINMA concerning successful or partially successful cyber attacks increased by approximately 30% in comparison to 2023. FINMA reported extensively on those attacks in its 2024 Risk Monitor. There was also a further increase in attacks targeting the external service providers of supervised institutions. These attacks accounted for approximately 30% of the reported cyber attacks. As a consequence of the intensified supervision of smaller market participants, such as independent portfolio managers or untied insurance intermediaries, an increasing number of cyber attacks were also registered in respect of these supervised institutions and individuals.
Focus on concentration risk in the area of outsourcing
As also explained in its 2024 Risk Monitor, FINMA regards the outsourcing of significant functions to third parties as one of the most important risks facing supervised institutions. Financial institutions are becoming increasingly dependent on service providers in connection with the supply of important functions. In 2024, there was a further increase in the number of outsourced services relating to critical functions of the supervised institutions. The number of sub-outsourcers also rose in line with the increase in outsourced services, thereby increasing the complexity of the supply chains. The supervised institutions are thus heavily dependent on third parties for the purposes of supplying their services and ensuring the continuity of their business activities.
During the reporting period, FINMA continuously gathered data on significant outsourcing activities by banks, insurers, financial market infrastructures and other financial market participants. It identified existing concentration risks and noted an increased concentration at individual service providers supplying significant or even critical functions to numerous financial institutions. An outage at one of these service providers, or an incident involving unauthorized access to sensitive data held by them, could have a very serious impact on the Swiss financial market. There has been a significant increase in the outsourcing of IT infrastructure and critical data to the public cloud. As of 2024, one in five banks or insurance companies was already outsourcing significant data or functions to public cloud service providers.
FINMA raised awareness among both the institutions and the service providers regarding the heightened risk situation; in doing so, it focused on the operational resilience of both the institutions and the Swiss financial market as a whole. In addition, FINMA also closely monitored the international developments in this area of third-party risk management. In 2024, the Basel Committee on Banking Supervision (BCBS) began defining new principles for ensuring sound risk management with regard to agreements with third parties.
Guidance as an effective instrument for promoting stability in the cyber domain
Cyber risks – and their management – has been a principal risk area facing the supervised institutions for many years. Accordingly, FINMA intensified its supervisory work in that area during 2024. This was reflected, in particular, by the increased number of on-site supervisory reviews, as well as by the use of a broad range of supervisory instruments, such as scenario analyses, tabletop or red teaming exercises or the publication of guidance. During tabletop exercises, roles and responses in an emergency are discussed on the basis of risk scenarios; in the case of red teaming exercises, company security is enhanced by means of simulated cyber attacks.
This guidance in particular has proven to be an effective instrument for managing a highly dynamic risk, such as cyber risk, and a constantly changing threat situation. The current conditions resulting from the threat situation and critical findings drawn, for example, from on-site supervisory reviews, supervisory discussions or the cyber reporting process, can thus be shared promptly with the supervised institutions. Similarly, developments in the financial market, such as the use of cloud solutions, or in the technology area, for example the use of artificial intelligence (AI) in the management of cyber risks, are set out in detail in the guidance.
FINMA Guidance 03/2024, which was published during the year under review, sets out the findings from the supervisory work relating to cyber risks and also provides further clarifications supplementing FINMA Guidance 05/2020, as well as in relation to the scenario-based cyber risk exercises. Within the framework of the existing supervisory requirements, FINMA is thus helping to drive targeted and continuous improvements in terms of the implementation of these requirements.
The publication ensured that supervised institutions’ awareness of cyber risks remained at a consistently high level in 2024. Even after publishing the supervisory requirements, FINMA continued to play its part in continuously raising the maturity levels of the supervised institutions in relation to cyber risk management. In doing so, it boosted the stability of both the individual institutions and the financial market as a whole. Consequently, in 2024, the number of cyber attacks on supervised institutions that reached seriously critical levels was low.
(From the Annual Report 2024)
