You are here


Survey Answer:

With regard to IT-Security of financial institutions, special rules apply. Pursuant to Article 3f of the BA in conjunction with Article 12 para. 4 of the OBA, banks are required to maintain an effective internal controls system as part of their risk management with a view to detect, limit and monitor operational and legal risks. These requirements are specified in the recent-ly updated Circular 2008/21 "Operational Risks – Banks" issued by the Swiss Financial Market Supervisory Authority (FINMA). The Circular provides that the Executive Board must imple-ment a risk management concept for dealing with cyber risks. Such concept shall cover at least the following aspects:
- identification of the specific threat potentials;
- protection of business processes and technology infrastructure;
- real-time detection and recording of cyber-attacks;
- responding to cyber-attacks by timely and targeted measures;
- ensuring timely recovery of normal business operations after cyber-attacks through appropriate measures.
The Circular also states that the management is tasked with regularly reviewing the effec-tiveness of the concept and measures by means of vulnerability analyses and penetration tests. It should be noted that circulars issued by FINMA are not legally binding, but they ex-press the opinion and intended enforcement practice of FINMA as the supervising body in the financial sector and thus carry substantial weight.
The FINMA Circular 2018/3 “Outsourcing” provides that the financial institution and the out-sourcing service provider have to agree on minimum IT security requirements which will have to be surveilled by the financial institution. Furthermore, the parties have to set up a busi-ness continuity management for emergencies.
Notably, financial institutions (and their auditors) are required to notify FINMA immediately in case of events which are of substantial relevance to the supervisory activity (Article 29 para. 2 FINMASA). Arguably, serious incidents relating to IT- Security need to be reported to FINMA without delay.
Moreover, Article 14 FMIA states that financial market infrastructures (e.g. stock exchanges, multilateral trading facilities, trade repositories) shall operate IT systems which (a) are ade-quate to their activities, (b) provide for effective emergency arrangements, and (c) ensure business continuity. Further, a financial market infrastructure is required to provide for measures to protect the integrity and confidentiality of information regarding its partici-pants and their transactions.
The Swiss Banking Association has issued Guidelines on Secure Cloud Banking in March 2019. This guidance provides for a number of technical, organizational and contractual measures to preserve IT security in the cloud. Whereas these Guidelines are neither binding for banks nor endorsed by the FINMA, they may still be considered as a benchmark for minimum secu-rity requirements in a cloud setup.

With respect to the telecommunications sector, service providers are under an obligation to immediately notify OFCOM of any operational networks disruptions which affect a relevant number of customers (Article 96 OTS). In this context, OFCOM has issued a "Guideline on the Security and Availability of Telecommunication Infrastructures and Services" recommending telecommunications providers to maintain an information security management system (ISMS) in line with recognized standards. OFCOM has the authority to declare internationally harmonized standards to be legally binding (Article 96 para. 2 OTS).

Please note that there are further specific legal requirements applying to other sectors in-cluding aviation, railway transportation, the health sector, etc.

Provided By:
Roland Mathys, Schellenberg Wittmer and Clara-Ann Gordon, Niederer Kraft Frey