FINMA published its Guidance 03/2024 on Cyber Risk Supervision

07.06.2024|Sebastian Wälti

FINMA published its Guidance 03/2024 regarding findings from FINMA's cyber risk supervision, clarification of FINMA Guidance 05/2020 and scenario-based cyber risk exercises.

The Guidance is relevant for all institutions supervised by FINMA.

Some of the key elements are:

Governance

- Cyber risks are among the most significant risks for supervised institutions, and therefore need to be recognised as a separate risk category in the management of qualitative operational risks, and an appropriate risk appetite and risk tolerance need to be defined.
- Key controls for cyber risks need to be integrated into the internal control system (ICS).
- Separate the operational management of cyber risk from the independent control function.

Protective Measures

- FINMA has observed a positive trend in recent years (e.g. better and increasingly effective protective measures against DDoS attacks).
- Data loss prevention (DLP) measures should also cover sensitive personal data, business secrets, intellectual property, etc.

Detection, Response and Recovery

Effective preparation for cyber events and crises is critical for regulated institutions. Creating and testing realistic response plans is key to managing stress situations caused by cyber attacks. It is important to learn from these incidents and implement the necessary improvements in a timely manner.

Clarification of FINMA Guidance 05/2020

Cyber attacks pursuant to Art. 29 Para. 2 FINMASA must be reported within 24 hours of the discovery of a cyber attack with an initial report to the institution's key account manager at FINMA. The report should contain an initial assessment of the criticality and a concise description of the facts established to date.
An initial report submitted to FINMA within 24 hours can be withdrawn at any time if, after further investigation of the severity of the cyber attack, the institution ultimately concludes that it does not meet the materiality threshold.

Institutions subject to FINMA Circular 2023/1

Institutions subject to FINMA Circular 23/1 must conduct risk-based and scenario-based cyber exercises in accordance with margin no. 70. The scope of these exercises follows the principle of proportionality. Systemically important institutions should include red teaming exercises, while non-systemically important institutions should conduct at least one tabletop exercise per year.

Feel free to reach out if you have any questions or need further clarification on implementing these guidelines within your organization.