Financial Crime World

Here is the converted article in markdown format:

FINMASA Requires Swift Reporting of Major Cyberattacks

In a move to strengthen financial market supervision and cybersecurity, the Swiss Financial Market Supervisory Authority (FINMA) has issued guidelines on reporting cyber attacks to FINMA.

Strengthening Financial Market Supervision and Cybersecurity

Under the Financial Market Supervision Act (“FINMASA”), supervised institutions are required to report incidents of substantial importance to FINMA. The newly issued Guidance 05/2020 defines what constitutes a “substantial” incident and outlines the reporting requirements for cyber attacks on business-critical functions.

Reporting Requirements

According to the guidance, a major cyberattack is one that could lead to failure or malfunction of critical functions. Supervised institutions must report such breaches immediately, with a comprehensive report submitted within 72 hours. The guidelines also require institutions to submit root cause analyses for severe or high-level attacks, including information on the attack’s impact on regulatory compliance.

Violations and Penalties

Violations of the reporting obligations can result in criminal sanctions under FINMASA, with penalties including imprisonment and fines. In addition, FINMA may withdraw an institution’s license if a serious violation is found.

New Obligation to Report Cyberattacks to NCSC

Draft legislation aimed at amending the Swiss Information Security Act would introduce an obligation for critical infrastructure providers to report certain cyber-attacks and information security weaknesses to the National Cyber Security Centre (NCSC). The amendment would require reports to be made within 24 hours of discovery, with a fine of up to CHF 100,000 applicable for non-compliance.

Coordination between FINMA and NCSC

The Swiss parliament and government are intent on introducing binding rules in this area, with coordination between FINMA and NCSC planned to avoid overlaps and redundancies. Once the new reporting obligation comes into force, the NCSC reporting mechanism may be used for reports to FINMA.

Financial Sector Cyber Security Centre

As part of its efforts to combat cyber threats, FINMA has been involved in the establishment of the Swiss Financial Sector Cyber Security Centre (FS-CCS), an association aimed at enhancing the financial sector’s ability to withstand cybersecurity risks. The FS-CCS allows its 55 founding members, including major banks and financial institutions, to exchange information on best practices and current cyber threats.

Conclusion

In light of increasing regulatory scrutiny and legislation in the area, Swiss financial services providers must ensure they are prepared to prevent, mitigate, and report cyber attacks. The guidelines issued by FINMA and the upcoming obligation to report cyberattacks to NCSC underscore the importance of cybersecurity for the financial sector. Stay tuned for further updates on this topic.

Authors: Jana Essebier Stefan Grieder Maximilian Riegel Maximilian Riegel: Solicitor (admitted in Ireland, non-practising), Law Society of Ireland, Associate.