FINMA Guidance 05/2020: Duty to report cyber attacks
Disputes & Enforcement
Technology & Digitalization
Data / Technology / IP
With its Guidance 05/2020, FINMA recalls the already applicable legal obligation to report substantial incidents and specifies the requirements with regard to cyber attacks.
With its Guidance 05/2020, FINMA recalls the already applicable legal obligation to report substantial incidents and specifies the requirements with regard to cyber attacks. The following article is an interpretative aid to the FINMA Guidance and shows the need for action for FINMA-supervised institutions.
What is the purpose of the FINMA Guidance?
FINMA considers the risk of cyber attacks on the Swiss financial center to be very high. Cyber attacks can affect not only individual institutions, but also system-relevant institutions or several institutions at the same time or institutions that provide critical interlinked services. Under certain circumstances, the functioning of the financial markets in Switzerland may even be jeopardized.
For this reason, FINMA wants to obtain an overview in order to influence the supervised institutions if necessary. With the Guidance 05/2020, FINMA reminds of the already existing duty to report substantial incidents (Art. 29 para. 2 Financial Market Supervision Act, FINMASA), which can also include cyber attacks. FINMA aims to identify in good time any significant incidents that could affect, impact or even impair the protection of individuals, the functioning of the institutions subject to FINMA supervision or the functioning of the financial market. In this way, FINMA obtains an overview of potential risks and ensures compliance with its objectives.
FINMA Guidance 05/2020 defines three protective goals that could be affected by a cyber attack. The protective goals of integrity, confidentiality and availability of data or information. Individual or several of these protective goals may be affected by successful or partially successful cyber attacks. FINMA mentions in its Guidance that cyber-attacks generally target critical functions, which include supervised institutions' products or services, their underlying business processes, and their critical assets (i.e., personnel, information, technology infrastructure, facilities, and critical service providers).
What does FINMA mean by a cyber attack?
"Cyber attack" is a widely used term, but few know what all lies behind it. FINMA defines this term in its Guidance 05/2020 as “attacks from the internet and similar networks on the integrity, availability and confidentiality of the technology infrastructure, particularly in relation to critical and/or sensitive data and IT systems” and gives examples such as brute force attacks, identity theft, exploitation of a hardware vulnerability, etc. Also, "only" cyber attacks of substantial importance to the supervision are to be reported. With regard to substantiality, FINMA refers to the objectives associated with the reporting obligation, namely protection of individuals and the functioning of the financial markets. Therefore, in addition to personal data breaches, the reporting obligation also covers all cyber attacks that endanger or could endanger individuals, institutions and/or the financial market.
Does every cyber attack have to be reported?
No, not every cyber attack must be reported to FINMA. Only "cyber attacks of substantial importance to the supervision" are reportable. What does that mean?
From the wording of the FINMA Guidance 05/2020 can be inferred that successful, but also only partially successful cyber attacks can qualify as substantial. Consequently, unsuccessful cyber attacks are not substantial. In our view, this includes cyber attacks that could be detected, prevented or averted at an early stage without posing a threat to individuals, the institution (including via its critical service providers) or the financial market.
Also substantial are cyber attacks that directly or indirectly affect the functioning of financial markets. These include attacks on critical infrastructure of the institution, such as power producers, internet service providers, etc.
MME has developed a raster to help assess the substantiality of a cyber attack under time pressure in the event of an incident.
What is the reporting process?
If cyber attacks are thus aimed at critical functions of FINMA supervised institutions and if the cyber attacks are successful or partially successful and, in addition, protective goals are affected or endangered, the cyber attacks must be reported to FINMA without delay.
The first step is a preliminary information by the institution within 24 hours of the detection of a reportable cyber attack.
After 72 hours from the detection of the cyber attack, the actual reporting is then made to FINMA via the survey and application platform (EHP) with the parameters defined in the FINMA Guidance regarding the content and structure of the report. Among other things, the report must explain the type of attack, specify the critical functions and protective goals, specify the measures taken and provide an assessment of the severity of the cyber attack and forecast.
A new reporting is required within 72 hours if the institution has new developments or assessments regarding the same cyber attack.
If the FINMA-supervised institution has completed the cyber-attack ""internally"", the FINMA Guidance requires certain follow-up measures, such as a conclusive root cause analysis to FINMA, depending on the severity of the cyber-attack. What this analysis to FINMA should contain is clarified in FINMA Guidance 05/2020 - graded according to severity.
Need for action: What needs to be done?
We recommend the following implementation procedure:
1. Immediate actions:
Designation of a responsible person
Mandate for the development of a contingency plan ""reporting cyber-attack""
2. Definition of the critical functions of the supervised institution:
Products or services of the supervised institution
Business processes: Payment transactions, cash supply, exchange trading, drafting and administration of insurance contracts, processing of claims and benefits, data management of particularly sensitive personal data in the health and life insurance branches; administration of securities and investments etc. (see FINMA Guidance 05/2020, footnote 4).
Critical assets: personnel, technology infrastructure, information, facilities and critical service providers that support the business processes of these critical functions.
3. Define responsibilities and decision-making processes:
Define an authorization administrator of the institution and a (key) account manager (FINMA).
Familiarize with FINMA's web-based survey and application platform; carry out re-registration.
Clearly define competences and responsibilities; appoint and specifically designate deputies. Due to time pressure, short official channels are to be preferred. Define procedures and record them in a directive together with defined competencies and responsibilities (including decision-making competencies; crisis team).
Define technical and/or personnel warnings (e.g. via logins).
Create awareness within the company (e.g. with the help of internal fact sheets); involve employees and familiarize them with the topic in order to ensure a prompt reaction in the event of an emergency.