Increase in cyber attacks: implementation of on-site supervisory reviews and scenario analyses

Since the clarifications on the duty to report cyber attacks entered into force in September 2020 (see also Guidance 05/2020), 160 reports of cyber attacks of substantial importance had been received by the end of 2022. Out of 63 reports received during 2022, 48 concerned banks. More than half of the cyber attacks were directed against small institutions. Around a quarter of the attacks targeted institutions in supervisory categories 3 and 4, and only one cyber attack affected a larger institution (see also figure labelled “Cyber attacks reported to FINMA in 2022”, below). Detailed information on the reports received can be found in the 2022 Risk Monitor.

Hence, in its annually published Risk Monitor, FINMA continued to list cyber risks as one of seven principal risks faced by the financial centre in 2022. In monitoring this risk, FINMA focused on two aspects. Firstly, it continuously observed and assessed the threat situation and analysed the cyber reports; secondly, it carried out specific on-site supervisory reviews at supervised institutions and performed scenario analyses.

Whereas 2021 saw an increase in the number of DDoS activities (distributed denial of service), 2022 was characterised in particular by malware attacks threatening the integrity of essential IT components. The cyber reporting also showed that the primary purpose of the attacks was still to obtain unauthorised access to the infrastructure of the supervised institutions. The attacks most frequently took place via an external service provider in cases of outsourced services, followed by web-based attacks.

During the year under review, there was a focus on institutions in supervisory categories 4 and 5, which accounted for many of the reported attacks on banks (66%). It was noted that these institutions were particularly vulnerable to attacks. Information and communication technology (ICT) that had been outsourced to third parties was frequently affected. In this respect, it was also apparent that service providers had often been issued with cyber security instructions that were insufficiently clear, or that regular checks to verify compliance with such instructions were not being carried out. FINMA also found that qualitative operational risk management processes had often failed to take explicit account of cyber risks, and hence no systematic and comprehensive risk management system was ensured for the cyber domain.

As part of a complete revision of the circular on operational risks of banks (see "Revision of circulars", Annual Report page 69), the supervisory regulations governing cyber risks were also specifically revised. This included, inter alia, clarifications on establishing inventories of ICT to serve as a basis for swiftly identifying weak points and links between threats and risks (known as threat intelligence).

(From the Annual Report 2022)