FINMA: Supervisory Communication 03/2024 on cyber risks

EN DE FR

from

David Vasella

18.06.2024

Industries

Banks, Financial market

Authority

FINMA

Laws

FINMASA 29

Topics

FINMA, Resilience

Take-Aways (AI)

FINMA publishes Supervisory Communication 03/2024 with findings, clarifications on the reporting obligation and information on scenario-based cyber exercises.
Significant deficiencies in service provider management: missing inventories, incomplete controls and inadequate integration into the internal control system.
Inadequate governance, protection measures and recovery plans; training and data loss prevention often incomplete.
Reporting obligations specified: 24-hour initial notification, 72-hour full notification, deadlines for outsourcing apply from the time the provider becomes aware of the situation; scenario-based exercises prescribed.

On June 7, 2024, FINMA published a supervisory notice 03/2024 on cyber risks. published (a.o. german and english).

The FINMA supervisory communication “03/2024 – Findings from cyber risk supervisory activities, clarification of FINMA supervisory communication 05/2020 and scenario-based cyber exercises” contains

Findings from FINMA’s cyber risk supervisory activities, including deep dives at banks;
a specification of the FINMA supervisory communication 05/2020 on the obligation to report cyber-attacks; and
Notes on the scenario-based cyber exercises in accordance with the Circular Operational Risks and Resilience.

Findings from cyber risk supervision activities

FINMA has attempted to answer the question of which factors are particularly important for the success of cyber attacks as part of on-site inspections, including at banks (“deep dives”).

At Service provider level the picture is obviously sobering. Overall, there is often a lack of a clear view of the service providers, the significance of the services they provide in the context of the institution’s activities, the risks associated with outsourcing and the type and significance of the data processed. There also appears to be a lack of integration of risk controls into the ICS and a lack of communication between the institution and the provider:

Only “very few” institutions exchange information with the most important service providers after identifying security gaps so that they can close them.
Some service providers were apparently negligent in closing vulnerabilities.
“Very often” there is no complete inventory of service providers, including critical functions or critical data stored by the service provider. The monitoring of service providers was therefore incomplete.
Some institutions apparently do not record significant subcontractors correctly.
There is also a problem with the classification of critical data – “for the most part, the institutions concerned had not clearly defined” what they consider to be critical data.

Also with the Governance FINMA has identified deficiencies:

Medium-sized institutions often do not correctly differentiate between the operational handling of cyber risks and the independent control body.
Cyber risk potentials are often not correctly identified and employees’ access rights are often unclear due to the lack of a central authorization tool.
“Quite a few” institutions have not explicitly integrated cyber risks into the management of operational risks.
“Some supervised institutions” defined cyber risks and their risk appetite or risk tolerance inadequately.

With the Protective measures FINMA sees the following shortcomings, even if the overall “trend” is positive:

The protective measures for data loss prevention (DLP) have too narrow a focus on CID or credit card numbers. Other critical data such as “sensitive personal data”, business secrets, intellectual property, etc. are often not captured.
Some institutions do not test their data backup processes and recovery plans for resilience in the event of a ransomware attack, for example.
A “large number” of institutions lack training and awareness in the cyber area.

At the Detection, response and recovery after cyber attacks FINMA sees the following patterns:

Some institutions did not have sufficient response plans for cyber incidents.
Some institutions do not monitor their information and communication technology promptly and systematically.
Often, no specific recovery measures were defined after cyber attacks.

The picture that FINMA paints here is not surprising and is of course not limited to regulated sectors. Risk protection can only be effective if it includes all system components, i.e. if interfaces to external services are also included in the risk assessment, and if the processes for managing risks are thought through to the end. Many companies have a somewhat insular view of their own area without sufficiently taking into account the shared responsibility for interfaces and purchased services. However, a significant proportion of cyber attacks are carried out via providers. According to public sources, around 40% of cyberattacks via the supply chain, and more than 90% of all companies are said to be affected by such attacks.

Clarification of the FINMA supervisory communication on the obligation to report cyber attacks

On May 7, 2020, FINMA published its Supervisory Communication 05/2020 – Duty to report cyber attacks published. Since then, it has received “various inquiries regarding their interpretation” – particularly recently in the course of the new circular on operational risks and resilience (RS 2023/1). It is taking this as an opportunity to make clarifications to Supervisory Communication 05/2020, which should therefore be read together with this Supervisory Communication 03/24 in future.

The clarifications relate to the Duty to report in accordance with Art. 29 para. 2 FINMASAwhich FINMA has specified for all supervised institutions in Supervisory Notice 05/2020 and for banks and securities firms in RS 2023/1. In formal terms, Supervisory Notice 03/24 only refers to the earlier Supervisory Notice 05/2020 (which was not repealed by RS 2023/1), but in terms of content, its statements naturally also apply to the parallel obligations in RS 2023/1.

FINMA specifies its supervisory expectations as follows:

Deadline for notifications

Here FINMA confirms what is already known: from the time a cyber attack is discovered, the institution must 24 hours time for an initial report to FINMA. Within these 24 hours, the institutions must submit a Initial assessment on criticality in order to assess whether the cyber attack requires a report to FINMA.

The “actual” message must then be sent within a total of 72 hours via the FINMA survey and application platform (EHP).

Expectations for the initial notification

FINMA clarifies that timeliness is the most important aspect of the initial notification. No special expectations apply in terms of form or content, and initial notifications can also be revoked:

The Initial notification can be made informally, a notification by e‑mail, telephone etc. is sufficient. Based on the initial assessment, the aim is to determine the then known facts to be reproduced. Nothing more is required at this stage. FINMA’s aim here is to react quickly; the content of the initial notification is secondary.
Of course, it is possible that further clarification may reveal that the initial notification was not mandatory. Institutions can therefore revoke initial notifications at any time. withdraw.

If an institution is also subject to the reporting obligation under the ISG, the initial report can also be submitted using the BACS reporting form if the option to forward the report to FINMA is selected (based on Art. 73d E‑ISG). However, the institution must ensure that the deadline can be met. The time between reporting to BACS and forwarding to FINMA is therefore the responsibility of the institution. As far as is known, however, forwarding by the BACS is automated and without filters, i.e. presumably immediately. The actual report must then still be submitted via the EHP.

Expectations for the actual message

For reports of cyber attacks with a severity level of “medium” or more, the Supervisory Communication 05/2020 requires a final root cause report that includes at least the internal or external investigation or forensic report (further requirements can be found in the Supervisory notice 05/2020). As FINMA has now clarified, the root cause report should include the following points for the severity level “high” or “serious”:

Reason for the success of the cyber attack;
Impact of the attack on compliance with regulatory requirements, the institution’s operations and customers;
initiated mitigation measures to address the effects of the attack.

For cyber attacks with the severity level “serious”, evidence and analyses of the crisis organization’s ability to function must also be submitted.

Start and calculation of deadlines

In particular, FINMA is confirming its long-established practice that the deadlines for reporting begin to run upon outsourcing, if the provider becomes aware of the cyber attack. Outsourcing is the responsibility of the institutions. FINMA concludes from this,

that the reporting deadline begins to runas soon as the institution, or in the case of outsourced functions the third-party providera cyber incident has discovered. This also ensures the equal treatment under supervisory law of institutions that have not outsourced any functions.

This applies in any case to providers of essential functions. If a service provider is not an essential outsourcing partner, the institution must ensure that it is informed of cyber incidents.

When calculating the deadlines for the initial notification and the subsequent notification only official bank working days count. An exception applies to attacks with the severity level “serious”. In this case, the deadline for the initial report also runs outside of bank working days. FINMA must be read as meaning that this does not apply to the deadline for the follow-up report.

Scenario-based cyber exercises

FINMA clarifies a number of points regarding scenario-based cyber exercises for banks and securities firms. The scope and content of these exercises are based on the generally applicable proportionality principle in RS 23/1. Systemically important institutions must also carry out red teaming exercises, and other institutions must carry out a table-top exercise at least once a year. The smaller institutions (supervisory categories 4 and 5) can also participate in the exercises of the Swiss Financial Sector Cyber Security Center (Swiss FS-CSC) as long as the institution-specific threat potential can be determined with the corresponding Swiss FS-CSC exercise.

FINMA also reserves the right to

to have such risk-based, scenario-related cyber exercises carried out selectively as part of the regulatory audit or an additional audit and to monitor them closely.

FINMA: Super­vi­so­ry Com­mu­ni­ca­ti­on 03/2024 on cyber risks

Fin­dings from cyber risk super­vi­si­on activities

Cla­ri­fi­ca­ti­on of the FINMA super­vi­so­ry com­mu­ni­ca­ti­on on the obli­ga­ti­on to report cyber attacks

Dead­line for notifications

Expec­ta­ti­ons for the initi­al notification

Expec­ta­ti­ons for the actu­al message

Start and cal­cu­la­ti­on of deadlines

Sce­na­rio-based cyber exercises