As in previous years, FINMA directly conducted cyber-specific on-site supervisory reviews at more than a dozen institutions, in addition to the regular audits conducted by audit firms. Furthermore, numerous supervisory exchanges addressing the issue of cyber risks were held with systemically important institutions.
The number of reports submitted to FINMA concerning successful cyber attacks on supervised institutions remained stable at the levels recorded in 2022. FINMA has reported extensively on those attacks in the Risk Monitor 2023. There was also a further increase in attacks targeting the external service providers of supervised institutions. In 2022, such attacks accounted for approximately 50% of the reported cyber attacks. That trend continued in 2023 at a slightly slower rate (in this respect, see the comments in the Annual Report 2022 and in the Risk Monitor 2022).
Experience from previous years has shown that attackers were increasingly targeting smaller institutions, and that those institutions were affected by above-average numbers of successful cyber attacks. To facilitate a better assessment of those risks, an extensive analysis was carried out to assess the state of preparedness among small and medium-sized insurance companies and selected portfolio managers.
A large proportion of the deficiencies identified by FINMA during its cyber-specific on-site supervisory reviews lay in the area of governance. FINMA frequently identified an unclear boundary between the first and second lines of defence, particularly among medium-sized institutions. It is important that the operational management of cyber risks is continuously reviewed by an independent risk control organisation in order that the third line of defence can focus its audits on the most significant cyber risks for the institution.
Deficiencies in identifying potential institution-specific threats was the second most common issue identified by FINMA during the course of its on-site supervisory reviews. Some institutions still lack a clear definition of what their critical data comprises. Furthermore, they often do not know which of their employees have access to critical data because they lack a central authorisation tool. This makes it more difficult for the institution’s security organisation to establish protective measures that focus on the most important data.
FINMA also identified shortcomings in the protective measures aimed at data loss prevention, the absence of a cyber scenario in business continuity management systems, and inadequately implemented or untested backup or recovery plans.
During 2023, FINMA clearly expressed its expectation regarding outsourcing: supervised institutions may outsource services but not the associated responsibility.
In 2023, the proportion of cyber attacks on institutions that affected information and communications technologies outsourced to third parties continued to rise. Findings from the on-site supervisory reviews indicated that this trend was due to a failure to provide the commissioned service providers with clear cybersecurity requirements, or a failure to monitor, or regularly review, compliance with those requirements. The major service providers were therefore a focal point of the cyber-risk supervision work. FINMA’s aim was to find out why attacks on service providers were achieving above-average success rates.
FINMA frequently observed that directly supervised institutions were successful in rapidly bringing their most serious vulnerabilities under control and thereby averting direct harm. However, their service providers were often failing to act with the same level of effectiveness and were inadequately prepared for successful cyber attacks.
In cases involving serious security gaps, only a very small number of institutions were communicating with their service providers to ensure that they were able to close those gaps swiftly and before any harm occurred.
In many cases, the institutions lacked a complete inventory of their service providers. There was also a lack of additional information pointing out that critical data is stored with a service provider, or that a service provider is responsible for providing a critical function. Consequently, although the institutions had submitted reports to FINMA concerning cyber attacks on their service providers that resulted in losses of critical data, they had failed to record the service provider as “major” or “critical” in the inventory. As a result, service providers were often being incompletely monitored, or no regular monitoring was taking place at all.
This observation goes hand in hand with the finding described above in relation to identification, in which the relevant institutions lacked a clear definition of what constitutes critical data for them. Not only does that impede the implementation of internal measures for protecting the relevant data, it also makes it more difficult to classify the service provider appropriately and determine the monitoring measures necessary to reduce the identified risks.
(From the Annual Report 2023)