New cyber supervisory approach and guidance

Consequently, FINMA further augmented its resources in this area in 2020. They will be deployed on the basis of a supervisory approach whereby institutions will be monitored across three areas: analysis of the threat, ongoing supervision and incident management or, as the case may be, crisis management. This approach was introduced at the start of the year under review and allows for consistent FINMA-wide monitoring of the cyber risks faced by all of the supervised institutions.

In terms of operational implementation of the supervisory approach, the focus was directed at establishing the threat, conducting expert assessments of the licence applications – particularly in the area of Fin-Tech – and performing on-site supervisory reviews of financial institutions.

For FINMA, it is a matter of vital importance to be informed as early as possible when supervised institutions experience critical cyber incidents. This enables it to assist the supervised institutions during crisis situations and, where necessary, to take steps to ensure that other institutions are warned of identical or similar attacks. Accordingly, supervised institutions are required to report any major cyber attacks on their critical functions to FINMA. The requirements in connection with this reporting obligation under Article 29 para. 2 of the Financial Market Supervision Act (FINMASA) were specified in close consultation with the supervised institutions and notified in FINMA Guidance 05/2020.

(From the Annual Report 2020)