Findings from cyber supervision 2021

FINMA continues to regard cyber risks as one of the principal risks faced by the Swiss financial centre. During the year under review, it has therefore allocated further resources to this area. Compared with 2020, FINMA also conducted a significantly greater number of cyber-specific on-site supervisory reviews.

Findings from on-site supervisory reviews and reported cases of major cyber attacks

Supervised institutions are paying increasing attention to cyber risks, which they very frequently identify as one of their main risk areas. Between 2019 and 2021 FINMA almost tripled the number of onsite supervisory reviews conducted at institutions. A further increase in the number of reviews is planned for the year 2022. However, during the year under review, it was also established that some supervised institutions were failing to provide regular reports on these risks to their executive board or their board of directors.

With regard to identifying institution-specific potential threats from cyber attacks, some institutions lacked a clear definition of the scope and content of their critical and/or sensitive company-specific data. Consequently, these institutions reported difficulties in implementing the targeted protective measures.

To gain a more comprehensive and realistic insight into the capacities of institutions to withstand cyber attacks, FINMA’s cyber supervision encompassed, for the first time, two different threat-based scenario analyses during the year under review. Firstly, the processes for detecting and responding to a cyber attack were tested by means of tabletop exercises, which simulate attack scenarios. Secondly, FINMA commissioned specialists to conduct scenario-based tests under controlled conditions and in consultation with the institutions.

The majority of the findings from the on-site supervisory reviews concerned the protection of business processes and technological infrastructure. Some supervised institutions showed room for improvement in the areas of cyber training and awareness. In order for the protective measures to be effective, it is essential to ensure that employees at all hierarchical levels are kept regularly informed about the cyber risks and that they know and understand the most common methods of attack, such as phishing; they must also know who to contact within the company if they spot any signs of a cyber attack.

More than half of the received reports of cyber attacks of substantial importance involved attacks on availability through distributed denial of service (DDoS). Since the reporting obligation was introduced in September 2020, three waves of DDoS have been observed in total. In particular, the first wave in September 2020 had serious consequences and, in some cases, affected the availability of remote-working infrastructure, online services, email infrastructure and other systems. Some institutions had neglected their defence mechanisms in this area. The second most frequent reporting category involved attacks on third parties. Approximately 25% of the affected supervised institutions were not attacked directly; instead, they were attacked indirectly via their key service providers.

With respect to the identification and logging of cyber attacks, it was clear that some institutions had been failing to monitor their technological infrastructure in a timely and systematic manner. In some cases critical log data was not being analysed, or such analyses were being performed only during office hours.

In the year under review, most institutions implemented precautionary measures to ensure the prompt restoration of normal business operations following extraordinary events. In many cases, however, there was still a lack of specific measures for restoring operations following cyber attacks.

(From the Annual Report 2021)