Written by Kamil J. Mizgier, PhD
Cyber security is a top priority for financial institutions in Switzerland, as the country’s financial sector is a major target for cyber criminals. This blog article will explore the multifaceted world of cyber security in that sector.
1. The Swiss framework
To fortify the defenses of the financial services industry, the Swiss Financial Market Supervisory Authority (FINMA) has introduced a series of regulations. Among these is the Ordinance on Protection against Cyber Risks in the Federal Administration which has paved the way for the establishment of the National Cyber Security Centre (NCSC) – a pivotal player in Switzerland’s cyber security landscape. Although the NCSC doesn’t take on regulatory duties like FINMA, it serves as a valuable resource, offering expertise and facilitating collaboration at various levels.
Within the financial sector, specific rules have been instituted for banks and financial market infrastructures, guided by the FINMA Circular 2023/1, scheduled for implementation on January 1, 2024. The 2023 Circular builds upon existing practices and recommendations while providing more specific and comprehensive guidance. It underscores the importance of institutions adopting internationally recognized standards and practices in their ICT management. This proactive approach aligns with Switzerland’s commitment to enhancing cyber security resilience in its financial sector.
In addition to bolstering cyber security, Switzerland has also taken strides to enhance data privacy protection within the financial services sector. The recently enacted New Federal Data Protection Act (NFADP) equips the Federal Data Protection and Information Commissioner (FDPIC) with the authority to impose fines of up to CHF 2 million for violations of the law.
2. Adoption of ISO certifications is limited
ISO certifications, particularly ISO 27001 (Information Security Management System), hold immense significance for financial institutions. They offer a well-defined framework for the management and safeguarding of sensitive information, encompassing critical aspects such as customer data, financial records, and transaction details. These certifications serve as a guarantee that data is treated with the utmost diligence, consequently reducing the risk of data breaches and regulatory violations.
However, it’s important to note that the adoption of ISO 27001 remains limited. Official statistics from ISO Institutes reveal that only a fraction of Swiss organizations have pursued this certification.
This statistic contrasts sharply with the substantial number of registered companies in Switzerland, the majority of which fall under the category of micro-sized enterprises. Considering the introduction of new regulations, it’s plausible to anticipate a surge in interest and adoption of these certifications soon.
3. The journey towards cyber resilience: Confidentiality, Integrity, Availability (CIA) of Data
The Confidentiality, Integrity, Availability (CIA) triad forms the foundation of data security in financial services. Achieving a balance between these principles is essential to maintaining the trust of customers and regulators.
Additionally, the concept of cyber resilience, as discussed in recent research, emphasizes the need for a holistic approach to data security. This journey towards cyber resilience commences with achieving alignment on a common definition, ensuring that everyone within the organization shares a unified understanding of what cyber resilience truly entails.
4. Establishing cyber risk appetite
Understanding and defining risk appetite is crucial to manage cyber risk in financial organizations. It involves determining the level of cyber risk an organization is willing to accept to achieve its strategic objectives. This concept aligns with the findings, where competing rationalities can create challenges. Establishing a clear risk appetite framework can help bridge these conflicts.
The Swiss Federal Office For National Economic Supply offers tools to assist organizations in initiating risk assessments and implementing minimum standards.
5. Identifying and managing vulnerabilities
Software composition analysis (SCA) is a technique for identifying and managing vulnerabilities in software applications. It can help financial institutions identify and patch vulnerabilities in their software components before attackers can exploit them.
Recent high-impact breaches in the financial sector have highlighted the importance of SCA. For example, the Equifax breach in 2017, where attackers gained access to personal data of over 147 million consumers, and the SWIFT banking system breaches in 2016 and 2018, that resulted in substantial financial losses, were all caused by vulnerabilities in software components.
6. Putting up holistic defence strategies
A variety of defence techniques are available to protect financial institutions from cyber attacks. These solutions should be integrated into a comprehensive cyber security strategy in line with a holistic approach to cyber resilience.
- Diverse Teams: Diverse teams contribute to a more comprehensive defence strategy by mitigating group thinking and enhancing operational flexibility.
- Integrated Knowledge: The integration of knowledge from various disciplines enhances the effectiveness of security measures and promotes collaboration within the organization.
- Regulatory Adaptation: Financial institutions operating internationally should adapt their cyber security practices to accommodate regulatory differences across countries, ensuring compliance and flexibility.
- Penetration Testing: Ethical hackers simulate real-world attacks to identify vulnerabilities and weaknesses in systems. A free penetration test can be used to initially screen the organization’s vulnerabilities.
- System Backup Strategy: Regular data backups help recover from ransomware attacks and other data losses.
- Software Solutions: Advanced software solutions, including firewalls, Endpoint Detection and Response (EDR) solutions, Security Information and Event Management (SIEM) systems, and blockchain technology, play pivotal roles in securing financial institutions.
These defence techniques, when used together with a comprehensive cyber security strategy, bolster financial institutions’ resilience against cyber threats and attacks.
Cyber security is a continuous battle
Cyber security in financial services is a continuous battle against evolving threats. ISO certifications, adherence to data security principles, risk management, audits, and defence techniques are vital components of a robust cyber security strategy.
By staying vigilant and investing in the right tools and practices, financial institutions can protect their assets, maintain customer trust, and mitigate the ever-present cyber risks.
This article does not contain investment advice or recommendations. Every investment and trading move involves risk, and readers should conduct their own research when making a decision.
The views, thoughts and opinions expressed here are the author’s alone and do not necessarily reflect or represent the views and opinions of the Swiss Finance + Technology Association.
Kamil J. Mizgier, PhD is a senior risk leader with a passion for cyber security and a PhD from ETH Zurich. He has a wide professional experience in enterprise risk management, supply chain and data science.
Kamil has authored several articles published in international business journals and he was the Winner of the Risk.net 2019 Best Paper of the Year Award.