The Swiss Federal Council adopted a strategic approach for critical infrastructure protection on 8 December 2017 for the period covering 2018 to 2022. This resulted in an audit carried out at the Swiss Financial Market Supervisory Authority (“FINMA”) by the Swiss Federal Audit Office (“SFAO”) with a goal to reviewing the current state of financial services providers’ cybersecurity supervision. Below are the SFAO’s three main findings:
The progress of these provisions in Switzerland is still not up in to speed
It has been found that there have been gaps in the cyber-risk framework for a number of years. Due to the ongoing need to understand the overall relevant responsibilities and proficiencies, cyber-risk provisions are moving ahead slower than expected.
Adequate supervision is reliant upon the availability of resources
For FINMA, cyber-risk supervision is one of the six main risks, which has been evolving as resources became readily available. However, there are other planned activities that have not been initiated or solidified yet. This was indicated by FINMA at the beginning of 2020 which has led to organisational and formal adjustments.
The duty imposed on regulated financial institutions to report cyber incidents
The findings indicate that there have been reported cases of regulated financial institutions providing insufficient cyber incident reports. The ensuing consequences have not been enforced as of now, even though proper procedures have been put in place.
As of 15 February 2021, four recommendations have been issued by FINMA:
- Supervisory requirements in relation to cyber-risks have been extended to theinsurance sector and corresponding regulatory work will begin in 2021.
- Supervised entities must fulfil their reporting obligations of major cyberattacks (as per the notification sent out by FINMA in May 2020) and those who fail to comply will be dealt with by FINMA.
- FINMA will emphasise cybersecurity in its on-site inspections and plans to increase the number of visits in 2021.
- Surveys and audit results shall be conducted by the audit firms in a more systematic manner.
lecocqassociate is available to assist you regarding this update. Please contact Dominique Lecocq (email@example.com) with your queries