FINMA: Risk Moni­tor 2025: Out­sour­cing risks →, Cyber risks ↑, ICT risks ↑

EN 
EN  DE  FR 

from

on

Indu­stries

,

Aut­ho­ri­ty

Laws

Topics

,

FINMA publishes an annu­al risk moni­tor as an over­view of the risks that FINMA curr­ent­ly clas­si­fi­es as par­ti­cu­lar­ly signi­fi­cant for super­vi­sed insti­tu­ti­ons and the focus of its super­vi­so­ry acti­vi­ties. It not only iden­ti­fi­es the main risks (which are natu­ral­ly limi­t­ed to the area of tech­no­lo­gy and data), but also for­mu­la­tes super­vi­so­ry expec­ta­ti­ons. It has published the Risk Moni­tor 2025 today.

Out­sour­cing risks

The Out­sour­cing risks FINMA con­siders this to be the same as the pre­vious year (i.e. high).

The main risk dri­vers are

  • Incre­a­sing con­cen­tra­ti­on on a small num­ber of ser­vice pro­vi­ders, par­ti­cu­lar­ly for cloud services;
  • Iden­ti­fi­ca­ti­on and assess­ment of risks along the sup­p­ly chain (even if out­sour­cing is not con­side­red material)
  • Geo­po­li­ti­cal uncertainties

Super­vi­so­ry focusFINMA moni­tors out­sour­cing risk by means of spe­ci­fic on-site inspec­tions – of super­vi­sed insti­tu­ti­ons and their ser­vice pro­vi­ders – and by syste­ma­ti­cal­ly eva­lua­ting super­vi­so­ry and audit data. It com­pi­les an inven­to­ry of signi­fi­cant out­sour­cing in order to iden­ti­fy con­cen­tra­ti­ons on a small num­ber of ser­vice pro­vi­ders. The focus is on out­sour­cing cri­ti­cal func­tions that are cen­tral to ope­ra­tio­nal resilience.

FINMA is par­ti­cu­lar­ly con­cer­ned about clu­ster risk among a small num­ber of providers:

The incre­a­sing con­cen­tra­ti­on on a small num­ber of ser­vice pro­vi­ders, par­ti­cu­lar­ly in the area of ICT infras­truc­tu­re and cloud ser­vices, con­ti­nues to pose a key risk. Num­e­rous insti­tu­ti­ons use the same pro­vi­ders, which can lead to syste­mic dependency. 

Cyber risks

In con­trast, the­re was a clear increa­se in Cyber risks.

The main risk dri­vers are

  • Con­cen­tra­ti­on on a few ser­vice providers
  • Attacks on the sup­p­ly chains
  • DDoS attacks
  • E‑mail traf­fic
  • Insi­der threats
  • Incor­rect trans­mis­si­on of sen­si­ti­ve information
  • Vul­nerabi­li­ty management
  • Con­fi­gu­ra­ti­on management
  • Report­ing system

Super­vi­so­ry focusFINMA moni­tors cyber risk through tar­ge­ted on-site inspec­tions and addi­tio­nal audit pro­ce­du­res at banks in super­vi­so­ry cate­go­ries 1 and 2. For insti­tu­ti­ons in cate­go­ries 3 to 5, it uses a stan­dard audit pro­gram for the manage­ment of cyber risks and uses que­sti­on­n­aires to assess the matu­ri­ty of the insti­tu­ti­ons’ cyber pro­tec­tion arran­ge­ments. For fund manage­ment com­pa­nies and mana­gers of coll­ec­ti­ve assets, it has also published check­points on the manage­ment of cyber risks.

ICT risks

The­re was also an increa­se in ICT risks. 

The main risk dri­vers are

  • Incre­a­sing com­ple­xi­ty due to chan­ging requi­re­ments, rapid tech­ni­cal pro­gress, lar­ge num­ber of inte­gra­ti­ons with other systems
  • Depen­dence on IT systems
  • faul­ty soft­ware components
  • impro­per main­ten­an­ce or human error
  • Ina­de­qua­te qua­li­ty of data from exter­nal sources (e.g. “non-com­pli­ant formatting”)
  • Auto­ma­tic updates
  • Mis­con­fi­gu­ra­ti­on in aut­ho­rizati­on management
  • Lega­cy and end-of-life systems

Super­vi­so­ry focusFINMA moni­tors ICT risk by means of spe­ci­fic on-site inspec­tions and the eva­lua­ti­on of super­vi­so­ry and audit data.