- Cyber risks remain one of the biggest operational risks; institutions must continuously monitor threats and test their infrastructure for vulnerabilities.
- Rise in outsourcing increases supply chain complexity and concentration risks, especially for cloud services, and increases dependencies and cyberattack risks.
- FINMA requires institutions to build up knowledge and control mechanisms for outsourced functions; identification and monitoring of outsourcing risks are insufficient.
FINMA publishes an annual risk monitor as an overview of the risks that FINMA currently classifies as particularly significant for supervised institutions and the focus of its supervisory activities.
Cyber Risks
At Risk Monitor for the year 2023 FINMA first reports on cyber risks (see also the FINMA cyber risks dossier). It continues to see cyber risks as one of the greatest operational risks. The number of reports submitted to FINMA (Art. 29 para. 2 FINMASA) remained at the previous level, but the pressure on institutions to keep an eye on the current threat situation, react quickly and continuously test their own infrastructure for vulnerabilities remains high, especially with regard to zero-day exploits or DDoS attacks. The type of attack is distributed as follows:
Within the supervisory categories, the reports in absolute figures come mainly from the large institutions. However, smaller institutions are attacked more frequently, and insurance companies (around 30%) and asset managers (around 20%) are catching up:
In terms of attack vectors, software vulnerabilities and attacks via a web interface are in the foreground, but attacks via service providers are on the rise:
Against this background, among others, FINMA has revised RS Operational Risks (in force as of January 1, 2024) has adapted its supervisory practice for cyber risks. It has also conducted a survey of small and medium-sized insurance companies in order to assess the maturity of cyber risk management and will “define further selective supervisory measures” on this basis. FINMA has also carried out a corresponding deep dive at banks, which it is not (yet) reporting on in the risk monitor.
Newly recognized outsourcing risk
FINMA now includes outsourcing as a “key driver of operational risks” in the Risk Monitor. With an increase in significant outsourcing, the complexity of the supply chain is growing. Financial institutions mainly outsource business processes such as payment transactions (2÷3 of banks), securities settlement or IT infrastructure (80% of banks, 60% of insurers) in whole or in part. This results in dependencies, especially for institutions with concentration risks such as cloud services in particular, but also – as mentioned – further risks of cyber attacks.
Institutions remain responsible for the proper conduct of business. They must therefore build up the knowledge to be able to manage and monitor outsourced functions and take measures if necessary. FINMA sees a particular need to catch up in terms of identifying the entire supply chain and the associated risks, and risks in connection with significant outsourcing are sometimes not adequately identified, monitored and managed.