New cyber supervisory approach and guidance
Dependency on information and communications technologies continued to rise in 2020. This was driven by the digitalisation strategies pursued by the supervised institutions and was intensified even further by the pandemic-driven extensive shifts towards home-office working. This dependency has rendered financial institutions increasingly vulnerable to cyber attacks. SFMA therefore assessed this risk to be even higher than in the previous year. It considers it to be one of the seven top risks faced by the Swiss financial centre.
Consequently, SFMA further augmented its resources in this area in 2020. They will be deployed on the basis of a supervisory approach whereby institutions will be monitored across three areas: analysis of the threat, ongoing supervision and incident management or, as the case may be, crisis management. This approach was introduced at the start of the year under review and allows for consistent SFMA-wide monitoring of the cyber risks faced by all of the supervised firms. In terms of operational implementation of the supervisory approach, the focus was directed at establishing the threat, conducting expert assessments of the licence applications – particularly in the area of Fin-Tech – and performing on-site supervisory reviews of financial institutions. For SFMA, it is a matter of vital importance to be informed as early as possible when supervised firms experience critical cyber incidents. This enables it to assist the supervised firms during crisis situations and, where necessary, to take steps to ensure that other institutions are warned of identical or similar attacks. Accordingly, supervised firms are required to report any major cyber attacks on their critical functions to SFMA. The requirements in connection with this reporting obligation under Article 29 para. 2 of the Financial Market Supervision Act (SFMA Act) were specified in close consultation with the supervised firms and notified in SFMA Guidance 05/2020. (From the Annual Report 2020)