Cyber-Security Obligations for Financial Services Providers in Switzerland


Cyberattacks are on the rise and financial services providers worldwide are being targeted by malicious actors. While digitalization of financial services is a long-standing trend, it has been accelerated by the COVID-19 pandemic. Although this has brought many advantages, it has also increased the risk that cyberattacks severely disrupt the functioning of financial services and ultimately threaten financial stability.

It therefore comes as no surprise that legislators and regulators in Switzerland and around the world are stepping up their response. In the European Union the Network and Information Systems (“NIS“) 2 Directive is due to repeal the existing NIS Directive by October 2024, while the new Digital Operational Resilience Act (DORA), which contains an ICT risk management framework specifically for financial entities, will apply from January 2025.

Although Switzerland is lacking comprehensive cyber security legislation, there are a number of statutes, regulations and guidance, along with new draft legislation, that apply to the financial services industry. The most important of these are outlined in this blogpost.

National Cyber Security Centre and National Strategy for the Protection against Cyber Risks

The Ordinance on Protection against Cyber Risks in the Federal Administration (Verordnung über den Schutz vor Cyberrisiken in der Bundesverwaltung) laid down the legislative framework for the establishment and expansion of the National Cyber Security Centre (“NCSC“).

The NCSC serves as Switzerland’s centre of excellence and coordinates the work in the area of cyber security. While the NCSC has not taken over any tasks from regulatory bodies such as the Swiss financial market supervisory authority (“FINMA“), it provides them with expertise and interacts with them on several levels (see below).

Rules for Banks and Financial Market Infrastructures

A corollary of Art. 3f para. 3 of the Banking Act, which requires financial groups or financial conglomerates to be organized in a way as to record, limit and monitor all relevant risks, is the obligation to protect their network from cyberattacks.

This obligation is elaborated upon in FINMA Circular 2008/21 “Operational Risks – Banks” (available in German, French and Italian only) (“2008 Circular“), which is due to be replaced by Circular 2023/1 (“2023 Circular“) on 1 January 2024.

While the 2023 Circular is not a complete departure from current practices and recommendations, it does specify and clarify certain aspects based on FINMA’s experience with the 2008 Circular.

The 2023 Circular recommends that institutions should generally set up their ICT management using internationally accepted standards and practices. Management should receive an annual report about developments of the threat and risk profile, any damage resulting from successful cyberattacks, and ensure operative effectiveness of key controls in this area.

According to the explanatory memorandum, in the identification of cyberattacks the focus was placed on the introduction of suitable procedures, processes and controls for a comprehensive inventory of ICT, with the aim of ensuring that vulnerabilities are identified promptly and that, in the event of a cyberattack, interrelationships can be analyzed and prevented more quickly. This also includes the appropriate implementation of procedures, processes and controls to detect, contain and eliminate such attacks. In order to verify the effectiveness of the implemented measures, management shall, in addition to vulnerability scans and penetration tests, arrange for cyber exercises to be carried out.

In addition, other procedures not explicitly listed in the 2023 Circular may be carried out for the verification of cyber protection measures, such as participation in bug bounty programs or source code security reviews.

For the reporting of cyberattacks, the 2023 Circular cross-refers to the provisions of the Guidance (see below).

Similar rules exist for financial market infrastructures (i.e. stock exchanges, multilateral trading facilities, central counterparties, central securities depositories, trade repositories, DLT trading facilities, and payment systems) under the Financial Markets Infrastructure Act (“FinMIA“).

Art. 14 FinMIA requires financial market infrastructures to operate IT systems that ensure the fulfilment of their duties arising under the FinMIA and are appropriate for their activities, that provide for effective emergency arrangements, and which ensure the continuity of their business activity.

Pursuant to art. 23 FinMIA, special IT systems requirements apply to systemically important financial market infrastructures.

FINMA Guidance on Reporting Obligation for Supervised Institutions

FINMA has been focusing on cyberattacks as part of prudential supervision for a number of years, with the FINMA Risk Monitor 2022 listing cyberattacks as a principal risk and FINMA’s 2022 annual report highlighting an increasing number of cyberattacks on supervised institutions.

Article 29 para. 2 of the Financial Market Supervision Act (“FINMASA“) requires supervised institutions to report incidents of substantial importance to their supervision, which includes reporting major cyberattacks on business-critical functions, to FINMA. On foot of this obligation, FINMA has issued its Guidance 05/2020 on the Duty to report cyber attacks pursuant to art. 29 para. 2 FINMASA (the “Guidance“). The Guidance forms part of the FINMA cyber risk dossier, which is available on the FINMA website here.

Regarding the question what FINMA considers to be ‘of substantial importance‘, the Guidance refers to the “critical functions of supervised institutions where successful or partially successful cyber attacks would lead to failure or malfunction.”

The duty to report cyber-attacks to FINMA ‘immediately‘ means that such breaches must be reported within 24 hours of their detection and assessment of criticality by the responsible account manager, while a comprehensive report must be submitted within 72 hours. If any new developments come to light subsequently, a new report must be submitted.

For cyberattacks deemed to be ‘severe‘ or ‘high‘ (as defined in annex 1 to the Guidance), FINMA expects a conclusive root cause analysis to be submitted once the institution has finished processing the case. This must include a reason for the success of the attack and its impact on the observance of regulations.

Violating the reporting obligations is subject to criminal sanctions under FINMASA. Pursuant to Art. 45 et. seq., anyone who intentionally provides wrong information or fails to make a required report to FINMA is liable to imprisonment for a period not exceeding three years or a fine. In case the violation was the result of negligence it will be punished with a fine not exceeding CHF 250,000.

In the case of serious violations an institution’s license may also be withdrawn (art. 37 FINMASA).

Upcoming Obligation to Report Cyberattacks to NCSC

In addition to the above, draft legislation that would amend the Swiss Information Security Act (Informationssicherheitsgesetz) and introduce an obligation for critical infrastructure providers to report certain cyber-attacks and information security weaknesses to the NCSC. The Amendment would introduce reporting requirements similar to the obligations under the NIS/NIS2 and is currently making its way through the Swiss legislative process (“Amendment“).

While the final provisions of the Amendment are not yet settled, according to the version submitted to parliament by the Swiss government in December 2022, ‘critical infrastructure providers‘ would include all entities subject to the provisions of the Banking Act, the Insurance Supervision Act, and the Financial Infrastructure Act.

Reports would need to be made within 24 hours of the discovery of a cyber-attack. A breach of the obligation to report would punishable by a fine of up to CHF 100,000.

While it is currently uncertain exactly when the reporting obligation will come into force, it is clear that the Swiss parliament and government are intent on introducing binding rules in this area. According to the explanatory memorandum to the Amendment, the existing reporting obligations to FINMA pursuant to the Guidance will remain in place. However, FINMA and the NCSC will coordinate their reporting processes to avoid overlaps and redundancies. It appears that once the new reporting obligation has entered into force the NCSC reporting mechanism can likewise be used for reports to FINMA. In addition, the Amendment would add the NCSC to Art. 39 para. 1 FINMASA to allow FINMA to report non-public information to the NCSC, insofar as this is necessary for the NCSC to fulfill its role.

Financial Sector Cyber Security Centre

As part of a wider industry effort to stem the rising tide of cyber-attacks, FINMA has also been involved in the establishment of the Swiss Financial Sector Cyber Security Centre (“FS-CSC“) as an affiliate. The FS-CSC is an association whose aim is to “enhance the financial sector’s ability to withstand these risks” and to “promote a partnership between financial institutions and authorities on strategic and operational issues.”

The FS-CSC allows its members to exchange information about both best practices as well as the current cyber threat landscape, educate themselves about cyber crisis management, thereby increasing readiness.

Its 55 founding members include the Swiss Bankers Association (which runs its own webpage dedicated to cybersecurity), Swiss stock exchange SIX, and the Swiss National Bank, with membership being open to all banks, insurance companies, financial market infrastructures and financial associations that are both headquartered in Switzerland and licensed by FINMA.

Source : LEX