FINMA issues new guidance on cyber-attacks reporting

With reference to cyber attacks, the protection of individuals (i.e. creditors, investors and insured persons) and the proper functioning of the financial markets directly or indirectly impacted by a cyber attack are of substantial importance. FINMA’s primary focus here is on the critical functions of supervised institutions where successful or partially successful cyber attacks would lead to failure or malfunction. This may significantly impact the protection of individuals, potentially leading to the impairment of the protective goal of availability. Additionally, the protective goals of integrity and confidentiality of information or data can also be jeopardised by such attacks. If systemically important institutions or several institutions that provide critical interlinked services are affected simultaneously, the proper functioning of Switzerland’s financial markets could be put at risk under certain circumstances. Cyber attacks are normally targeted directly at the supporting resources for these critical functions. Supporting resources that are designated as critical assets include personnel, technology infrastructure, information and facilities as well as critical service providers who support the business processes of these critical functions. Every supervised institution must identify its critical functions, the corresponding business processes and supporting critical assets independently6 . If a cyber attack on critical assets results in one or more of the protective goals of critical functions and their business processes being put at risk, this must be reported to FINMA immediately.

Immediate reporting to FINMA means that the affected supervised institution informs FINMA through the responsible (Key) Account Manager within 24 hours of detecting such a cyber attack and conducting an initial assessment of its criticality. The actual report should be submitted within 72 hours via the FINMA web-based survey and application platform (EHP). If there are new developments or assessments related to the same attack after the reporting obligation has been met in full, a new report must be submitted within the specified deadline of 72 hours. For cyber attacks with the severity levels high and severe , once the institution has finished processing the case FINMA expects a conclusive root cause analysis to be submitted including an analysis, reason for the success of the attack, impact of the attack on the observance of regulations, operations and customers as well as mitigating measures to address the consequences of the attack. For cyber attacks with the severity level severe , proof and analyses of the proper functioning of the crisis organisation must also be submitted. For cyber attacks with the severity level medium , a conclusive root cause analysis is sufficient. FINMA expects the detailed requirements from the guidance on reporting cyber attacks to be implemented by 1 September 2020 at the latest or earlier on a best effort basis.