As of May 7, 2020, FINMA has issued the Supervisory notice 05/2020 regarding the obligation to report cyber attacks. It is set against the background of the continuing – and especially in stress situations such as the current pandemic – assessed “very high” risk of cyber attacks on the Swiss financial center.
Supervisory Notice
The supervisory notice is intended to remind all supervised institutions of the reporting obligation under Art. 29 para. 2 FINMASA:
2 The supervised entities and the audit firms that perform audits on their premises must also immediately notify FINMA of the following Report incidents, the of material importance for supervision are.
FINMA expects the implementation of the supervisory notice by no later than as of September 1, 2020 or on a best-effort basis earlier.
The criterion of “Materiality” is achieved when the protection of creditors, investors
and insured persons and/or the functioning of financial markets is impaired. This can also happen indirectly, e.g., in the case of attacks on infrastructure critical to institutions (ISPs, power generators, etc.).
In the case of a reporting requirement, the report must be “immediately” take place, i.e.
- through pre-orientation of FINMA via the responsible (key) account manager within 24 hours After detecting the cyber attack and making an initial assessment of its criticality, and
- through the actual message within 72 hours via the FINMA survey and application platform (EHP) (from 1.6.2020: www.finma.ch/de/finma/extranet/erhebungs-und-gesuchsplattform).
The Message content shall be guided by the following points:
- Institute name
- Contact person incl. contact details (phone & e‑mail address)
- Date / time Notification to FINMA
- Date / time detection attack
- Date / time of attack (if already known)
- Description of the cyber attack and current status
- Initial assessment Severity of cyber attack (See Appendix 1) (single selection: medium, high, severe).
- Severity trend (single choice: decreasing, stable, increasing).
- Affected entities (Affected organizational unit(s) in the institute or service provider)
- Protection goals affected (multiple selection: confidentiality, integrity, availability)
- Affected critical functions, business processes, or assets (Affected information, technology infrastructure, buildings, or personnel).
- Number of customers affected (current status)
- Attack vectors (multiple choices: Email, web-based attack, brute force attack, identity theft, external removable media, device loss/theft, software vulnerability exploitation,
Exploitation of hardware vulnerability, Other [Please define]) - Type of attack (description) (e.g. DDoS, Unauthorized access, Malware, Misuse / improper use of technology infrastructure, etc.)
- Administrative, operational and/or technical countermeasures with expected timeliness
- Communication measures (what, to whom, when)
In the event of new developments or assessments, within 72 hours a new message to be reimbursed.
After completion of the case processing by the institution, FINMA expects the following:
- Severity High and Severe: Root cause analysis report including an analysis, reason for the success of the attack, impact of the attack on regulatory compliance, operations and customers, and mitigating actions to address the consequences of the attack;
- Severity Severe; also evidence and analysis of the functioning of the crisis organization;
- Severity Medium: final cause report only.
In the two Attach of the supervisory notice are found
- Criteria for determining the severity of a cyber attack, and
- Examples of critical actives and cyber attacks on its protection targets.
Obligation to notify under data protection law
The reporting obligation under financial market supervision law competes with any reporting obligation under data protection law:
- The Today DSG does not know any obligation to report to the FDPIC (but a voluntary consultation by the FDPICwhich may have to be assessed cautiously, and under certain circumstances, exceptionally, a notification obligation towards persons concerned).
- The GDPR recognizes a reporting obligation to the responsible authorities in the event of data security breaches with a relevant risk. Data protection supervisory authorities (or, in the case of (i) an EU representative office or (ii) where a principal place of business or sole establishment in the EEA area is responsible: to a competent authority). If the risk to data subjects is likely to be high ( and on the instruction of the authority), there is also a notification obligation vis-à-vis the persons concerned.
- In the draft of the revised DPA (E‑DSG) is also subject to a reporting obligation vis-à-vis the FDPIC provided if the violation is likely to result in a high risk. The persons concerned are to be informed if it is necessary for their protection (and on the instructions of the FDPIC).
If the facts of both the reporting obligation pursuant to Art. 29 para. 2 FINMASA and a reporting obligation under data protection law vis-à-vis authorities are fulfilled, the following shall apply both messages obligatory.