FINMA continues to view the risk of cyber attacks on the Swiss financial centre as very high. FINMA reminds all supervised institutions of their legal requirement, pursuant to Article 29 para. 2 FINMASA, to immediately (within 24 hours) report any incident that is of substantial importance to the supervision.
On 7 May 2020, FINMA published the Guidance 05/20 “Duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA”. FINMA reminds all supervised institutions of their legal requirement, pursuant to Article 29 para. 2 FINMASA, to immediately (within 24 hours) report any incident that is of substantial importance to the supervision. This encompasses significant incidents with regard to successful or partially successful cyber attacks. FINMA intends to transfer the following clarifications of the guidance to a circular at a later point in time.
FINMA expects the detailed requirements from the guidance on reporting cyber attacks to be implemented by 1 September 2020 at the latest or earlier on a best effort basis.
MME Cyber Risk Response Team is ready to assist you to comply with the new FINMA reporting requirements.
