The Swiss Financial Market Supervisory Authority (FINMA) has today published its guidance on cyber risks.

All supervised institutions have an obligation to report cyber attacks. The institution has 24 hours from the moment a cyberattack is discovered to submit an initial report to FINMA.

Within these 24 hours, supervised institutions are expected to make an initial assessment of the criticality of the cyber attack to determine whether it meets the materiality threshold to be reported to FINMA.

Institutions that are also subject to the reporting obligation under the Information Security Act (ISA; RS 128) can submit their 24-hour notification via the National Cyber ​​Security Center (NCSC) reporting form and choose to forward the report to FINMA, provided this can be done within the deadline.

If an institution’s service provider (e.g. hospital, asset manager, law firm) is not a material outsourcing partner within the meaning of FINMA circular 18/3 “Outsourcing”, the institution must ensure that it is informed by the provider services for cyber incidents the provider suffers. If the institution classifies a cyber incident reported to it as relevant within the meaning of FINMA Guidance 05/2020, it must also submit the required reports to FINMA in such cases.

Cyber-attacks with the severity level “severe” must be reported to FINMA within 24 hours, even outside bank business days.

The reporting obligation for outsourced functions is as follows: according to margin no. 23 FINMA Circular 18/3, the supervised institutions have the same responsibility towards FINMA as if they were performing the outsourcing themselves. This in turn means that the reporting period starts as soon as the institution or third party provider for outsourced functions detects a cyber incident. This also ensures that institutions that have not outsourced any functions receive equal supervisory treatment.

For reports of “moderate” severity cyber attacks, a final root cause analysis is required, which includes at least the internal or external investigation and forensic report. For reports of “high” or “severe” severity cyber attacks, the root cause analysis should include the following:

  • Reason for the success of the cyber attack.
  • Impact of the attack on compliance with supervisory requirements, the institution’s operations and customers.
  • Mitigation measures were taken to deal with the consequences of the attack.

For “serious” cyber attacks, evidence and analysis of the proper functioning of the crisis agency must also be submitted.


Leave a Reply

Your email address will not be published. Required fields are marked *