The world of finance goes ever more digital, which brings huge advantages. However, there is a flip side to each coin: there are new attack surfaces, and connected risks. It shows in the increase of cyber attacks against financial institutes in the last few years, for instance through ransomware, DDoS attacks or APTs (Advanced Persistent Threats). The FINMA has reacted to this, and has requested financial enterprises to deploy a risk management concept, with appropriate measures for the protection against cyber attacks. The requirement is effective already since July 2017. Read further in our blog post, to see what this means for you!
The Swiss Federal Authority for the Supervision of the Financial Market FINMA regulates, by means of so-called Circular Letters (RS, from the German Rundschreiben), relevant themes for the financial institutions in their target. Specifically, the RS 2008/21 regulates how to deal with operational risks. In its initial version, the RS 08/21 did not contain any requirement related to IT and data processing; however, his changed few years ago with the addition of Annex 3: "Handling of electronic client data". The Annex required that banks deploy comprehensive security measures for the protection of the confidentiality of client data. In September 2016 the RS 08/21 was extended with additional IT-relevant provisions. To find out what does this concretely mean for your company, we have analysed the new provisions, and offer practical implementation suggestions.
What is the meaning of "Operational Risks" in the view of the FINMA?
Let us start with the definition of operational risks according to the FINMA RS 2008/21:
Operational risks are defined, in article 89 of the ERV (Own Funds Act, in German Eigenmittelverordnung), as the "danger of losses, which arise as a consequence of the inadequacy or failure of internal procedures, people or systems, or as a consequence of external events". The definition includes all legal and compliance risks, as long as they represent a direct, financial loss, i.e. inclusive of penalties applied by surveillance authorities and similar.
The first section is the most relevant for the IT function. The reference to legal and compliance risks is particularly interesting in connection to the GDPR, entering force in May 2018, and to the fully reviewed Swiss Data Protection Act, likely to enter force in August 2018. In an earlier blog post, we already explained how to successfully master the requirements of the GDPR .
Risk identification, confinement and monitoring as basis
For the scope of the implementation, the evaluation of risks is important. A number of quantitative approaches to the evaluation of risks are available; however, precisely this quantification of technology risks is still a very new theme, and there is a wide lack of reference data and statistical foundations. Things turn more interesting in section "IV. Qualitative requirements for the handling of operational risks" in Rule 2: Identification, confinement and monitoring.
"An effective identification of risks, that works as the basis for the confinement and monitoring of operational risks, takes into account both internal and external factors. These include, as a minimum, risk and control evaluations, as well as the results of reviews."
This means that we cannot simply rely on the results of the (annual) review; instead, we need to perform evaluations of the risks, controls and risk management measures ourselves. Practical experience often shows that possible risks are indeed identified and put forth, and then deleted from further processing, following the principle that a review will criticise these risks if they are relevant. We suggest instead to manage risks, once they have been identified. This saves time and costs, and prevents unnecessary stress. Rule 2, point 129 offers further IT-relevant themes:
"Collection and analysis of external events, connected with operational risks"
Data processing systems have become digital and networked everywhere. Therefore, the collection and analysis of external events must also include technology specific events, such as e.g. cyber attacks by criminal organisations, extortion through ransomware, or DoS (denial of service) attacks.
"Risk and performance indicators for monitoring operational risks, and indicators of the effectiveness of the internal control system"
This is another requirement for the IT: define and implement the (difficult to quantify) "Key Risk Indicators" for IT risks. A useful support can be found, for instance, in ISACA’s "Risk IT Framework" (which includes a practical toolbox, and the "Risk IT Practictioner Guide"), or in the ISO 27005 standard, "Information Security Risk Management".
Risk management for a targeted reduction of operational risks
Rule 4 addresses directly the IT function, and defines the following requirements: "Top management has an IT risk management concept in accordance with the IT strategy and the defined risk tolerance, considering the issues that are relevant to be implemented for each Institute, according to internationally acknowledged standards"
The standards referenced above also work for the definition of a comprehensive IT risk management concept, which as a minimum must cover the following minimal issues:
- "Current visibility over the most important components of the network infrastructure, and an inventory of all critical applications and related IT infrastructures with their interfaces to third parties."
Depending on the complexity of the infrastructure, and on an existing inventory, this requirement may imply a higher or lower grade of commitment. In addition, it must be considered that the existence of outsourced services, or of cloud based solutions, does not unburden from having such visibility. The issue of “interfaces to third parties” here must be given full consideration! - "Clear definition of roles, duties and responsibilities related to critical applications, and to the connected IT infrastructure and critical/sensitive data and processes."
The definition and documentation of duties, competences and responsibilities related to the roles in the focus of this issue, pose the basis for the identification and documentation of the developments, in the form of processes. The same criteria defined above, apply here too: this point does not depend on whether systems are operated by the company itself, by an outsourcer, or by a cloud service provider. - "A systematic process for the identification and evaluation of IT risks, targeted at checking due diligence, especially in view of acquisitions and outsourcings in the field of IT, and for the purpose of monitoring service agreements."
This statement poses the specific requirement of an appropriate process for checking outsourcing and external services. Standard attestations and certifications such as the ISO 27001 or ISAE 3402 SOC Control Reports, are useful tools for the effective monitoring of service providers. - "Measures to increase the awareness of employees, in view of their contribution to reducing IT risks as well as compliance with, and increase of, IT and information security."
Development of security awareness in employees should not fall short, and is here explicitly required as a regulation.
Tip: the requirements defined here above are worth implementing, even though you may not be a bank committed to comply with the RS; incidentally, this also helps being compliant with data protection legislations, and efficiently implementing the required security controls.
Cyber risks are the focus of FINMA’s RS 2008/21
Points 135.6 to 135.11 provide further requirements, especially focussed on “cyber risks”. They are strongly connected with the NIST Cyber Security Framework:
"Top management has an IT risk management concept, for the handling of cyber risks. This concept covers as a minimum the following aspects, and must guarantee their effective implementation by means of appropriate processes, as well as a clear establishment of duties, roles and responsibilities…"
Banks interested by this regulation should already have implemented effective security measures covering most of the points above. An issue of some novelty consists in the "timely detection and recording of cyber attacks." Involved banks, and ideally also non bank companies, should set up a specific organisational structure, operating on a 24/7 basis, to guarantee the detection of cyber attacks; and this target cannot be met without an appropriate "Security Operation Center" (SOC). In addition, there is now also a commitment to coordinate security measures, specifically "Disaster Recovery" measures for the reaction to cyber attacks, with Business Continuity Management (BCM) across the enterprise.
Proactive reduction of risks by means of simulated cyber attacks
Finally, the RS 08/21 Point 135.12 requires the regular execution of vulnerability assessments, including simulating attacks and actual penetration attempts (so called "Penetration Testing") against critical IT systems and sensitive data.
"To protect critical and/or sensitive data and IT systems against cyber attacks, top management arrange for the regular execution of vulnerability assessments and penetration tests, which must be conducted by qualified personnel with adequate resources."
When cyber security experts are required
Such qualified personnel are hard to come by. But there is no need to worry: there are established service providers for the purpose! Even just the implementation of regulatory and legal requirements such as the FINMA RS 2017/01 "Corporate Governance – Banks", 2008/07 "Outsourcing Banks" and 2008/21 "Operational Risks in Banks", without forgetting the Data Privacy Act itself, contain several specifications that are very demanding, from both the technical and the organisational point of view. This is why enlisting the help of an experienced cyber security expert is a good idea.
Swiss Cyber Security
Whether your requirements are strategic, covering the entire IT, or limited to specific domains, InfoGuard can support you with its competence in fulfilling the cyber security requirements posed by the revised FINMA circular 2008/21. Rely on us and keep your operational risks under control! We look forward to speaking with you about your specific challenges.
