SWITZERLAND Law and Practice Contributed by: Hugh Reeves, Jürg Schneider and David Vasella, Walder Wyss Ltd
In case of a breach of the sectoral rules, FINMA has a varied toolbox of enforcement measures. These include the revocation of licences to prac - tice, fines or even custodial sentences. FINMA also occasionally, and for preventative purpos - es, relies on a “naming and shaming” strategy, meaning that the perpetrator of any offence against the regulatory rules is publicly named. 3.2 ICT Service Provider Contractual Requirements As mentioned in 2.1 Scope of Critical Infrastruc- ture Cybersecurity Regulation , a breach notifi - cation obligation in cases of cybersecurity inci - dents affecting critical infrastructures will come into force on 1 April 2025. Moreover, FONES published a minimum ICT standard document as well as an ICT self-assessment tool directed at operators of critical infrastructures. This docu - ment rests, in part, on the requirements of the relatively ubiquitous NIST framework to which it refers. 3.3 Key Operational Resilience Obligations Concerning key operational resilience obliga - tions, see also 1.1 Cybersecurity Regulation Strategy and 1.2 Cybersecurity Laws . On 7 June 2024, FINMA published supervisory guid - ance 03/2024 on cyber-risks, which includes: • findings from FINMA’s cyber-risk supervision, including deep dives at banks; • information on scenario-based cyber-exercis - es in accordance with Circular 2023/1 Opera - tional Risks and Resilience; and • clarifications of FINMA Guidance 05/2020 on the reporting requirement for cyber-attacks. The clarifications relate to the reporting obliga - tion under Article 29(2) of the Financial Market Supervision Act, which requires supervised
institutions to report certain material incidents to FINMA. It builds on earlier FINMA guidance, Guidance 03/24 and Guidance 05/2020. FINMA clarifies its expectations as follows. Deadline for Reporting FINMA confirms that the relevant institution has 24 hours from the moment a cyber-attack is dis - covered to report to FINMA (see the following for information about the commencement of this window). Within these initial 24 hours, the insti - tution must carry out an initial assessment of the criticality, with the aim of assessing whether the cyber-attack requires a report to FINMA. The “actual” report must then be made within 72 hours via FINMA’s survey and application platform (EHP). Expectations for the Initial Report FINMA states that timeliness is of the essence for the initial report. There are no specific expec - tations in terms of form or content, and initial reports can also be withdrawn later. The initial report may be made informally, for example by e-mail or telephone. The aim is to reflect the then-known facts on the basis of the initial assessment. It may, of course, be the case that further clarifications show that the initial report would not have been mandatory. Institu - tions can therefore withdraw their initial reports at any time, giving them an incentive to err on the side of caution. If an institution is also subject to the report - ing requirement under the ISA, as revised (with the relevant parts coming into force on 1 April 2025), the initial report can be submitted through the relevant authority, the BACS. To the extent known, the BACS will forward the report to FINMA – if the reporting institution chooses this option – automatically and without filtering, so
280 CHAMBERS.COM
Powered by FlippingBook