New cyber supervisory approach and guidance

Dependency on information and communications technologies continued to rise in 2020. This was driven by the digitalisation strategies pursued by the supervised institutions and was intensified even further by the pandemic-driven extensive shifts towards home-office working. This dependency has rendered financial institutions increasingly vulnerable to cyber attacks. FINMA therefore assessed this risk to be even higher than in the previous year. It considers it to be one of the seven top risks faced by the Swiss financial centre.

Consequently, FINMA further augmented its resources in this area in 2020. They will be deployed on the basis of a supervisory approach whereby institutions will be monitored across three areas: analysis of the threat, ongoing supervision and incident management or, as the case may be, crisis management. This approach was introduced at the start of the year under review and allows for consistent FINMA-wide monitoring of the cyber risks faced by all of the supervised institutions.

In terms of operational implementation of the supervisory approach, the focus was directed at establishing the threat, conducting expert assessments of the licence applications – particularly in the area of Fin-Tech – and performing on-site supervisory reviews of financial institutions.

For FINMA, it is a matter of vital importance to be informed as early as possible when supervised institutions experience critical cyber incidents. This enables it to assist the supervised institutions during crisis situations and, where necessary, to take steps to ensure that other institutions are warned of identical or similar attacks. Accordingly, supervised institutions are required to report any major cyber attacks on their critical functions to FINMA. The requirements in connection with this reporting obligation under Article 29 para. 2 of the Financial Market Supervision Act (FINMASA) were specified in close consultation with the supervised institutions and notified in FINMA Guidance 05/2020.

(From the Annual Report 2020)

Annual Report 2020

Updated: 25.03.2021 Size: 2.2  MB
Add to personal download list
FINMA Guidance 05/2020

Duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA

Updated: 07.05.2020 Size: 0.24  MB
Add to personal download list