Cyber risks (2024)

The Swiss financial centre remains a focus for international cybercrime, including for well-known international ransomware groups such as PLAY, AKIRA, and Lockbit 3.0. At the same time, with its increased supervision of smaller market players such as independent asset managers and untied insurance intermediaries, FINMA has registered a growing number of cyberattacks on these entities.

Supervised institutions across all supervisory categories increasingly reported cyberincidents in connection with business email compromise (BEC; see Business E-Mail Compromise) and forms of cyberfraud such as CEO fraud (form of identity theft to circumvent multi-factor authentication, where a digital SIM card is created or stolen). In some cases, the incidents involved large sums for the institutions concerned and their customers. SIM swapping attacks5 were also reported to FINMA.

Email traffic remains the most common infection vector for smaller institutions in a cyberincident. Root cause analysis has shown that these supervised institutions had limited or less sophisticated cyberprotection arrangements in place. This encompassed both a lack of technical defences and an urgent need to raise awareness.

Inadequate processes to identify and repair software weaknesses within the technology infrastructure and gaps in configuration management were further entry points for attackers. For example, they were able to circumvent multi-factor authentication due to configuration errors or the institutions concerned were not using two-factor authentication across the board.

In many cases, the institutions did not notice the cyberattacks for a prolonged period. The attacks were carried out on outdated technological infrastructure that was no longer maintained and updated, or external service providers did not inform the institutions promptly. This indicates firstly that there are some serious deficiencies in the life cycle management of IT infrastructure. Secondly, it highlights weaknesses in cybersecurity policies in connection with service providers. The identification and reaction capabilities of the institutions remain key factors in handling cyberattacks successfully. This is underlined by the fact that a quarter of the incidents reported relate to infections with malicious software.

In the past year there have again been multiple waves of distributed denial of service (DDoS) attacks (attacks on the availability of technology infrastructure), which led to services being restricted for Swiss financial market participants and their customers for limited periods. The attacks were mostly financially motivated and accompanied by blackmail letters. Critical infrastructures in Switzerland were also hit by ideologically motivated DDoS attacks.

Supply chain attacks and cyberincidents in connection with outsourced services and functions remain relevant and continue to account for nearly a third of all reported cyberincidents. It is safe to assume that cyberattacks on IT and communications technology supply chains will continue to increase. Supervised institutions therefore need to take technical and organisational steps to protect their main business processes and critical data.