Financial Crime World

Here is the converted article in Markdown format:

FINMA Issues Guidance on Reporting Cyber Attacks

In a bid to enhance the resilience of Switzerland’s financial sector against cyber threats, the Financial Market Supervisory Authority (FINMA) has issued guidance on the duty to report cyber attacks to FINMA. The guidance is in line with the Financial Markets Supervision Act (FINMASA), which requires supervised institutions to report incidents of substantial importance to their supervision.

Key Requirements

Under the guidance, supervised institutions are required to:

  • Report major cyber attacks on business-critical functions to FINMA “immediately” after detection and assessment of criticality.
    • Breaches must be reported within 24 hours of discovery.
    • A comprehensive report must be submitted within 72 hours.
    • If new developments arise subsequently, a new report must be submitted.
  • Conduct a conclusive root cause analysis for severe or high-risk cyber attacks, including the reason for the attack’s success and its impact on regulatory compliance.

Consequences of Non-Compliance

Failure to comply with the reporting obligations is punishable under FINMASA. Intentional provision of false information or failure to report can result in:

  • Imprisonment for up to three years
  • A fine of CHF 250,000 In cases of negligence, fines of up to CHF 250,000 may apply. In severe cases, an institution’s license may be withdrawn.

New Reporting Obligation

In addition to the FINMA guidance, draft legislation has been introduced that would amend the Swiss Information Security Act and introduce a reporting obligation for critical infrastructure providers to report certain cyber attacks and information security weaknesses to the National Cyber Security Centre (NCSC). The proposed amendment is currently making its way through the Swiss legislative process.

Key Features of the Amendment

The amendment would require critical infrastructure providers, including banks, insurance companies, and financial market infrastructures, to:

  • Report cyber attacks within 24 hours of discovery.
  • Failure to comply with this obligation could result in a fine of up to CHF 100,000.

FINMA-NCSC Coordination

FINMA and the NCSC will coordinate their reporting processes to avoid overlaps and redundancies. Once the new reporting obligation enters into force, it is expected that the NCSC reporting mechanism can be used for reports to FINMA as well.

Financial Sector Cyber Security Centre

As part of its efforts to enhance cybersecurity in the financial sector, FINMA has been involved in the establishment of the Swiss Financial Sector Cyber Security Centre (FS-CSC). The FS-CSC aims to promote a partnership between financial institutions and authorities on strategic and operational issues. Its 55 founding members include prominent financial institutions such as banks, stock exchanges, and insurance companies.

Conclusion

In light of increasing regulatory scrutiny and legislation in the area, Swiss financial services providers must ensure they are prepared to prevent, mitigate, and report cyber attacks. The new reporting obligations introduced by FINMA and the proposed amendment to the Swiss Information Security Act highlight the importance of cybersecurity compliance for institutions operating in Switzerland.