News

FINMA has consistently identified cyber risks as one of the main risks facing the Swiss financial centre for several years now (see Risk monitor). In guidance, FINMA is now providing information on the findings from its supervisory activities in the area of cyber risks and drawing attention to shortcomings it has identified repeatedly. FINMA is also providing further details on the requirements for reporting cyber attacks and conducting scenario-based cyber exercises.

Outsourcing as a risk driver

In 2022 and 2023, more than half of the reported cyber attacks involved outsourced services. FINMA also very frequently identifies weaknesses in this area as part of its supervisory activities with regard to cyber risks. In addition to outsourcing, there is a recurring focus on other topics, such as governance in dealing with cyber risks.

Expanded range of supervisory instruments

Furthermore, FINMA has introduced additional cyber-specific supervisory tools in recent years, such as red teaming and tabletop exercises with the supervised institutions. Red teaming exercises involve security experts taking on the role of an attacker and attempting to breach a company’s cyber security defences by replicating the attack methods of a malicious hacker. In tabletop exercises, a scenario is simulated and played out on paper. The identified risks are continuously analysed, evaluated and summarised in a heat map.

Comprehensive supervisory activities in the cyber area

Supervised institutions are obliged to report cyber attacks to FINMA. FINMA also carried out more than a dozen cyber-specific on-site supervisory reviews last year. The reports received from the supervised institutions or audit firms and FINMA’s own cyber-specific on-site supervisory reviews enable FINMA to assess the quality of the supervised institutions’ cyber defences in depth and, if necessary, to take institution-specific measures at an early stage.