The Swiss Financial Market Supervisory Authority (FINMA) today published its guidance on cyber risks.
All supervised institutions have obligation to report cyber attacks. The institution has 24 hours from the time a cyber attack is discovered to submit an initial report to FINMA.
Within these 24 hours supervised institutions are expected to make an initial assessment of the cyber attack’s criticality to determine whether it meets the materiality threshold to be reported to FINMA.
Institutions which are also subject to the reporting obligation under the Information Security Act (ISA; RS 128) may submit their 24-hour notification via the reporting form of the National Cyber Security Centre (NCSC) and select the option to forward the report to FINMA, provided this can be done within the deadline.
If an institution’s service provider (e.g. a hospital, asset manager, law firm) is not a material outsourcing partner within the meaning of FINMA Circular 18/3 “Outsourcing”, the institution must ensure that it is informed by the service provider about cyber incidents the provider suffers. If the institution classifies a cyber incident reported to it as relevant within the meaning of FINMA Guidance 05/2020, it must also submit the required reports to FINMA in such cases.
Cyber attacks with the severity level “severe” must be reported to FINMA within 24 hours, even outside of bank working days.
The reporting obligation for outsourced functions is as follows: in accordance with margin no. 23 FINMA Circ. 18/3, supervised institutions have the same responsibility to FINMA as if they were performing the outsourced function themselves. This means in turn that the reporting period begins as soon as the institution, or the third party provider for outsourced functions, identifies a cyber incident. This also ensures that institutions who have not outsourced any functions receive equal supervisory treatment.
For reports on cyber attacks with “medium” severity, a concluding root cause analysis is required, comprising at a minimum the internal or external investigation and forensic report. For reports on cyber attacks with a “high” or “severe” degree of severity, the root cause analysis should comprise the following:
- Reason for the success of the cyber attack;
- Impact of the attack on compliance with supervisory requirements, the institution’s operations and customers;
- Mitigation measures taken to address the consequences of the attack.
For “severe” cyber attacks, proof and analysis of the proper functioning of the crisis organisation must also be submitted.
