As of May 7, 2020, FINMA has issued the Super­vi­so­ry noti­ce 05/2020 regar­ding the obli­ga­ti­on to report cyber attacks. It is set against the back­ground of the con­ti­nuing – and espe­ci­al­ly in stress situa­tions such as the cur­rent pan­de­mic – asses­sed “very high” risk of cyber attacks on the Swiss finan­cial center.

Super­vi­so­ry Notice

The super­vi­so­ry noti­ce is inten­ded to remind all super­vi­sed insti­tu­ti­ons of the report­ing obli­ga­ti­on under Art. 29 para. 2 FINMASA:

2 The super­vi­sed enti­ties and the audit firms that per­form audits on their pre­mi­ses must also imme­dia­te­ly noti­fy FINMA of the fol­lo­wing Report inci­dents, the of mate­ri­al importance for super­vi­si­on are.

FINMA expects the imple­men­ta­ti­on of the super­vi­so­ry noti­ce by no later than as of Sep­tem­ber 1, 2020 or on a best-effort basis earlier.

The cri­ter­ion of “Mate­ria­li­ty” is achie­ved when the pro­tec­tion of cre­di­tors, investors
and insu­red per­sons and/or the func­tio­ning of finan­cial mar­kets is impai­red. This can also hap­pen indi­rect­ly, e.g., in the case of attacks on infras­truc­tu­re cri­ti­cal to insti­tu­ti­ons (ISPs, power gene­ra­tors, etc.).

In the case of a report­ing requi­re­ment, the report must be “imme­dia­te­ly” take place, i.e.

• through pre-ori­en­ta­ti­on of FINMA via the respon­si­ble (key) account mana­ger within 24 hours After detec­ting the cyber attack and making an initi­al assess­ment of its cri­ti­cal­i­ty, and
• through the actu­al mes­sa­ge within 72 hours via the FINMA sur­vey and appli­ca­ti­on plat­form (EHP) (from 1.6.2020: www.finma.ch/de/finma/extranet/erhebungs-und-gesuchsplattform).

The Mes­sa­ge con­tent shall be gui­ded by the fol­lo­wing points:

• Insti­tu­te name
• Cont­act per­son incl. cont­act details (pho­ne & e‑mail address)
• Date / time Noti­fi­ca­ti­on to FINMA
• Date / time detec­tion attack
• Date / time of attack (if alre­a­dy known)
• Descrip­ti­on of the cyber attack and cur­rent status
• Initi­al assess­ment Seve­ri­ty of cyber attack (See Appen­dix 1) (sin­gle sel­ec­tion: medi­um, high, severe).
• Seve­ri­ty trend (sin­gle choice: decre­a­sing, sta­ble, increasing).
• Affec­ted enti­ties (Affec­ted orga­nizatio­nal unit(s) in the insti­tu­te or ser­vice provider)
• Pro­tec­tion goals affec­ted (mul­ti­ple sel­ec­tion: con­fi­den­tia­li­ty, inte­gri­ty, availability)
• Affec­ted cri­ti­cal func­tions, busi­ness pro­ce­s­ses, or assets (Affec­ted infor­ma­ti­on, tech­no­lo­gy infras­truc­tu­re, buil­dings, or personnel).
• Num­ber of cus­to­mers affec­ted (cur­rent status)
• Attack vec­tors (mul­ti­ple choices: Email, web-based attack, brute force attack, iden­ti­ty theft, exter­nal remo­va­ble media, device loss/theft, soft­ware vul­nerabi­li­ty exploitation,
  Explo­ita­ti­on of hard­ware vul­nerabi­li­ty, Other [Plea­se define])
• Type of attack (descrip­ti­on) (e.g. DDoS, Unaut­ho­ri­zed access, Mal­wa­re, Misu­se / impro­per use of tech­no­lo­gy infras­truc­tu­re, etc.)
• Admi­ni­stra­ti­ve, ope­ra­tio­nal and/or tech­ni­cal coun­ter­me­a­su­res with expec­ted timeliness
• Com­mu­ni­ca­ti­on mea­su­res (what, to whom, when)

In the event of new deve­lo­p­ments or assess­ments, within 72 hours a new mes­sa­ge to be reimbursed.

After com­ple­ti­on of the case pro­ce­s­sing by the insti­tu­ti­on, FINMA expects the following:

• Seve­ri­ty High and Seve­re: Root cau­se ana­ly­sis report inclu­ding an ana­ly­sis, rea­son for the suc­cess of the attack, impact of the attack on regu­la­to­ry com­pli­ance, ope­ra­ti­ons and cus­to­mers, and miti­ga­ting actions to address the con­se­quen­ces of the attack;
• Seve­ri­ty Seve­re; also evi­dence and ana­ly­sis of the func­tio­ning of the cri­sis organization;
• Seve­ri­ty Medi­um: final cau­se report only.

In the two Attach of the super­vi­so­ry noti­ce are found

• Cri­te­ria for deter­mi­ning the seve­ri­ty of a cyber attack, and
• Examp­les of cri­ti­cal acti­ves and cyber attacks on its pro­tec­tion targets.

Obli­ga­ti­on to noti­fy under data pro­tec­tion law

The report­ing obli­ga­ti­on under finan­cial mar­ket super­vi­si­on law com­pe­tes with any report­ing obli­ga­ti­on under data pro­tec­tion law:

• The Today DSG does not know any obli­ga­ti­on to report to the FDPIC (but a vol­un­t­a­ry con­sul­ta­ti­on by the FDPICwhich may have to be asses­sed cau­tious­ly, and under cer­tain cir­cum­stances, excep­tio­nal­ly, a noti­fi­ca­ti­on obli­ga­ti­on towards per­sons con­cer­ned).
• The GDPR reco­gnizes a report­ing obli­ga­ti­on to the respon­si­ble aut­ho­ri­ties in the event of data secu­ri­ty brea­ches with a rele­vant risk. Data pro­tec­tion super­vi­so­ry aut­ho­ri­ties (or, in the case of (i) an EU repre­sen­ta­ti­ve office or (ii) whe­re a prin­ci­pal place of busi­ness or sole estab­lish­ment in the EEA area is respon­si­ble: to a com­pe­tent aut­ho­ri­ty). If the risk to data sub­jects is likely to be high ( and on the ins­truc­tion of the aut­ho­ri­ty), the­re is also a noti­fi­ca­ti­on obli­ga­ti­on vis-à-vis the per­sons con­cer­ned.
• In the draft of the revi­sed DPA (E‑DSG) is also sub­ject to a report­ing obli­ga­ti­on vis-à-vis the FDPIC pro­vi­ded if the vio­la­ti­on is likely to result in a high risk. The per­sons con­cer­ned are to be infor­med if it is neces­sa­ry for their pro­tec­tion (and on the ins­truc­tions of the FDPIC).

If the facts of both the report­ing obli­ga­ti­on pur­su­ant to Art. 29 para. 2 FINMASA and a report­ing obli­ga­ti­on under data pro­tec­tion law vis-à-vis aut­ho­ri­ties are ful­fil­led, the fol­lo­wing shall app­ly both mes­sa­ges obligatory.