Embed Size (px)
Citation preview
First National Cyber Security Event 2020
23 November 2020
Regulatory View on Cyber Security
Agenda
− Introduction
− Cyber supervision− Cyber regulation− FINMA Guidance 05/2020
− Questions
23 November 2020Regulatory View on Cyber Security
Page 2
Introduction
23 November 2020Regulatory View on Cyber Security
Page 3
Introduction
23 November 2020Regulatory View on Cyber Security
Page 4
Sebastian KunzSenior Risk Manager Cyber at FINMA
− Lead responsible for cyber security of all FINMA supervised institutes
− 12 years of experience in the banking and consultancy sector in various specialized cyber security roles (digital forensics, IT investigations, security incident response, eDiscovery, security assessments, IT security advisory)
− Numerous IT security certifications: CISSP, CISM, CISA, CRISC, CGEIT, OSCP, OSWP, CCSP, EnCE, NUIX certified examiner, CEH
− B.Sc. in Business Information Technology
https://www.linkedin.com/in/sebkunz
Introduction
23 November 2020Regulatory View on Cyber Security
Page 5
OpRisk Outsourcing Cyber security
IT
B-OCI
Manager
FINMA wide cross department functionBanks only
Vacancy
Cyber supervision & regulation
23 November 2020Regulatory View on Cyber Security
Page 6
Cyber supervision
23 November 2020Regulatory View on Cyber Security
Page 7
2015: Additional auditsAssess cyber risk at systemically relevant banks Starting in 2016: Supervisory dialogues,
periodic exchange of information with MELANI, cyber industry, national and international jurisdictions/committees
2016: Self-assessment"Dealing with Cyber Risks"
2017: Publication of regulatory requirements for cyber risks (FINMA Circular 2008/21: margin numbers 135.6-135.12)
2018: On-site supervisory reviews in the area of operational risks including dealing with cyber risks
2018: Self-assessment"Threat Intelligence"
Starting in 2019: Cyber risk-specific on-site supervisory reviews
2020: Establishment of FINMA-wide cyber concept, publication of FINMA guidance on the duty to report cyber attacks, increased on-site supervisory reviews
Specialist/supervisory instruments:
Regulation
Specialist/supervisory dialogues
Self-assessments
Regulatory audits
Additional Audits
On-site supervisory reviews
Cyber regulation (1/2)
23 November 2020Regulatory View on Cyber Security
Page 8
FINMA Circular 2008/21 "Operational risks – banks" NIST Cybersecurity Framework
Cyber regulation (2/2)
23 November 2020Regulatory View on Cyber Security
Page 9
InsurersPrinciple-based approach to operational risks (including cyber risks): • FINMA Circular 17/02 "Corporate governance – insurers" margin nos. 11*, 28*-36* • Insurance Supervision Ordinance, Arts. 96 and 97• Insurance Supervision Act, Arts. 22 and 27
Financial market infrastructures• Financial Market Infrastructure Act, Art. 14• Financial Market Infrastructure Ordinance, Art. 15
Asset management• Managers of collective assets: Financial Institutions Act, Art. 9 and Financial
Institutions Ordinance, Arts. 12 and 41• Fund management companies: Financial Institutions Ordinance, Art. 57
FINMA Guidance 05/2020
Duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA
23 November 2020Regulatory View on Cyber Security
Page 10
FINMA Guidance 05/2020 (1/3)
23 November 2020Regulatory View on Cyber Security
Page 11
• Reminder of duty to report cyber attacks pursuant to Article 29 para. 2 FINMASA
• Severity levels medium, high and severe as defined in Annex 1 of the FINMA Guidance
• Published at the beginning of May 2020, entry into force 1 September 2020
FINMA Guidance 05/2020 (2/3)
23 November 2020Regulatory View on Cyber Security
Page 12
FINMA Guidance 05/2020 (3/3)
23 November 2020Regulatory View on Cyber Security
Page 13
24h 72h1 23
1
2
3
Detection of a reportable cyber attack
Notification to FINMA account manager Submission of official notification through FINMA EHPOnce the institution has finished processing the case, submission of the conclusive root cause analysis report to FINMA account manager
• 24h means one (Swiss) business day.• Institutions have a duty to report cyber attacks against outsourcing providers
if their critical functions are affected.• Low severity attacks or unsuccessful attacks are not covered by the reporting
duty.• FINMA will publish statistics and information in anonymous form about
reported cyber attacks. The frequency and type of report is yet to be defined.
23 November 2020Regulatory View on Cyber Security
Page 15
