New FINMA Guidance 03/2024 on Cyber Risks: Implications for Portfolio Managers under Art. 17 FINIG

In June 2024, the Swiss Financial Market Supervisory Authority FINMA published its new Guidance 03/2024, which deals explicitly with the topic of cyber risks. This publication represents a further regulatory measure to deal with the increasing threat of cyber attacks. Although it is aimed in particular at larger and more highly regulated institutions such as banks, the principles formulated in the communication are also applicable in a watered-down form to smaller and medium-sized portfolio managers in accordance with Art. 17 of the Financial Institutions Act (FinIA). What are the key aspects of this new FINMA Guidance and what do they mean for portfolio managers?

Dr. Fabian Schmid Partner – Regulatory & Compliance financial services Grant Thornton AG

Background and reference to the previous supervisory notice

The new Guidance 03/2024 follows on from the earlier Guidance 05/2020, which already formulated basic requirements and expectations with regard to cyber risk management. While Guidance 05/2020 laid the foundation for the regulatory requirements, the current Guidance 03/2024 goes one step further and specifies the expectations for the implementation of these requirements.

FINMA refers to Art. 29 para. 2 of the Financial Market Supervision Act (FINMASA), which forms the basis for these detailed regulatory requirements in the area of cyber security in the context of the obligation to report cyber attacks. This means that, in principle, all institutions subject to financial market supervision, including small and medium-sized portfolio managers, are affected by these requirements.

In the first part of the Guidance, FINMA describes various shortcomings in dealing with cyber risks that it has identified in the course of its supervisory activities and which are addressed with the clarifications in the new Guidance. Many cyber attacks generally affect outsourced IT services. Affected institutions often did not have a complete inventory of their service providers and subcontractors. FINMA also found that cyber risks were often presented to the institutions' management bodies as a purely technological problem and were therefore not given the necessary priority by the Executive Board and Board of Directors. Furthermore, no risk tolerance was often defined for cyber risks and there was a lack of appropriate controls in the internal control system (ICS). In the area of protection, FINMA saw a particular need for improvement in the training and awareness of employees to cyber risks.
 

Key points of the new Guidance 03/2024

FINMA Guidance 03/2024 places particular emphasis on the following aspects of cyber risk management, which portfolio managers should not ignore:

• Increased requirements for IT security: Portfolio managers must ensure that their IT infrastructures guarantee proper business operations. Although the specific requirements for this can vary greatly depending on the business model, size and complexity of an institution, in principle this means that a portfolio manager's IT must comply with current security standards. This includes technical measures such as encryption or intrusion detection systems as well as organisational measures such as internal reporting to the management bodies or the provision of regular training for employees.
• Risk assessments and monitoring: Institutions are obliged to regularly assess their cyber risks and implement appropriate security measures. This should ensure that potential vulnerabilities are identified and remedied at an early stage. The integration of key controls into the internal control system (ICS) is particularly important here.
• Reporting of significant cyber attacks: A key point of the new communication is the clarification of the obligation to report significant cyber attacks to FINMA. However, it should be noted that only incidents of a certain severity that could significantly impair the institution's ability to function or the security of client data still have to be reported. From the time a significant cyber attack is discovered, the institution only has 24 hours to report it to FINMA. This initial report can be made informally by e-mail, telephone, etc. After 72 hours, a formal report via the web-based survey and application platform (EHP) is required.
   

Relevance for small and medium-sized asset managers

As mentioned at the beginning, FINMA's requirements are not exclusively aimed at banks and large financial institutions, but also include small and medium-sized portfolio managers. These institutions must therefore also carefully review their existing cyber security strategies and adapt them where necessary in order to fulfil the new regulatory requirements. This may involve implementing new technologies or working with external service providers. The documentation and regular review of the measures taken also play a decisive role.
 

Implementation of the new requirements

Ideally, the implementation of the measures described in FINMA Guidance 03/2024 should follow a structured approach. The following steps are recommended:

• Analyse the current status: It makes sense to take stock of the existing IT infrastructure and cyber security measures and compare them with the key points of the FINMA Guidance. Both technical and organisational aspects should be taken into account.
• Identification of weak points: Based on the analysis, potential weaknesses and risks must be identified. This part in particular can usefully be carried out with the support of external specialists.
• Implementation of an action plan: Based on the identified vulnerabilities, a detailed action plan should be developed that provides for both short-term and long-term improvements. Important components of this can include updating IT security guidelines, implementing new security solutions and training employees.
• Monitoring and reporting: Ongoing monitoring of IT security measures and regular reporting are crucial to ensure the effectiveness of the measures and to be able to react promptly to new threats.
• Reporting of cyber attacks: A clearly defined process for reporting significant cyber attacks to FINMA must be established. This includes identifying reportable incidents, documenting the incidents and reporting them to FINMA in a timely manner Cyber attacks targeted to IT outsourcing partners but affecting the portfolio manager’s data are also in the scope of this reporting duty.
   

Conclusion and need for action

FINMA Guidance 03/2024 makes it clear that cyber risks increasingly pose a serious threat to all financial institutions, regardless of their size. Not only large banks but also portfolio managers should therefore take proactive measures to critically scrutinise their IT infrastructures and adapt them where necessary in order to meet regulatory requirements.

Biography

Fabian Schmid is the Head of the Regulatory & Compliance Financial Services division. He has over 15 years of professional experience in financial markets law. Together with his team, he supports the auditing of all regulatory matters and acts as the consulting expert in the Regulatory & Compliance Financial Services division, particularly on the topics of the Financial Institutions Act (FinIA), Financial Services Act (FinSA), CISA, AMLA and corporate governance. Compliance services for smaller and medium-sized banks and asset managers are a particular focus. In addition to setting up dedicated outsourcing services in the areas of ICS, compliance and risk management for asset managers, he has led various FINMA investigative mandates and special audit mandates in the banking sector in the past. Fabian Schmid earned his doctorate in law (Dr. iur.) at the University of Bern with a dissertation in the field of financial markets law/asset management law.