Strategic cyber security is the basis for trust and profitability in banking

Johannes Dohren
Partner, Cybersecurity and Privacy, PwC Switzerland

Alexander Locher
Senior Manager, Risk Consulting and Internal Audit Financial Services, PwC Switzerland

Cyber risks are an enormous challenge for companies of all sizes in all sectors. In the financial sector, which has always been based on trust and works with sensitive customer data, cyber security is not just a regulatory necessity, but a foundation of business activity. As cyber attacks can jeopardise the integrity of banks and cause considerable damage to the financial market, FINMA has reacted, with consequences for smaller banks too.

cyber security

The threat situation posed by cyber risks has intensified significantly in recent years. The increasing digitalisation and connectivity of systems, processes and supply chains is opening up an ever-larger attack surface for cyber criminals. Criminals are using increasingly sophisticated methods to, for example, gain access to sensitive data or sabotage systems in order to obtain money or damage an institution’s reputation. The banking system in particular is under constant pressure to protect itself against a variety of cyber threats, ranging from fraud and data theft to targeted attacks on the stability of financial systems, due to its central economic role and its business model, which is based on trust.

In response to this development, the Swiss Financial Market Supervisory Authority (FINMA) has specified and significantly increased the cybersecurity requirements for banks with FINMA Circular 2023/1 ‘Operational risks and resilience – banks’, which came into force at the beginning of January 2024. It builds on earlier circulars and requires significant adjustments in dealing with information and communication technology risks (ICT risks), critical data, external service providers and general resilience considerations. FINMA’s requirements in the area of cybersecurity are based on the global standards of the National Institute of Standards and Technology (NIST). NIST addresses the five cyclical phases of cyber risks: Identify, Protect, Detect, Respond and Recover. The FINMA checkpoints (publication 09.01.24) are also defined along these NIST phases, in addition to the clear requirements for governance and risk management. It is important in this context that the new circular should be read together with the already applicable FINMA circulars 2017/1 ‘Corporate governance – banks’ and 2018/3 ‘Outsourcing’, as provisions relating to governance and risk management form an integral part, even if cyber-relevant services are outsourced. FINMA once again emphasised the focus on governance and outsourcing monitoring in its supervisory communication of 7 June 2018. The main objective of regulatory efforts in the banking sector is to increase the resilience and security of banks.

Cybersecurity does not only affect (large) banks

What does this mean in practice? In 2024 and beyond, the new requirements will be reviewed by regulatory auditors across all banking institutions, not just the big banks as before, with the intervention depth ‘audit’. The cybersecurity interventions will be broader and deeper than under the ‘old’ regulations.

If banks want to improve their cybersecurity and achieve a good result in such audits, they need to improve along the lines of ‘governance, reporting and risk management’, ‘risk identification and assessment’, ‘protective measures and framework’, ‘detection and response’, ‘recovery and resilience’ and ‘vulnerability management and penetration testing’. Summarised in concrete terms:

The responsibilities within the institution, including those of the Board of Directors and Executive Management, must be clearly defined. These responsibilities must be reflected in the directives and brought to life in the decision-making and supervisory bodies. This includes, for example, the senior management body defining and annually approving a risk strategy, including qualitative and quantitative risk tolerances. Consequently, reporting on cyber risks and controls must be designed in a way that is appropriate and understandable for the target audience. With regard to risk monitoring, more ‘reviews’ and ‘audits’ should be planned.

Cybersecurity must be assigned its own risk category in operational risk management. Consequently, cyber risks must be systematically identified and assessed. External factors, such as information from the darknet, and internal factors, such as results from cyber-awareness training, must be taken into account. Cyber-awareness measures also help to increase the effectiveness of risk identification. Effective identification also includes the complete, accurate cataloguing and evaluation of ICT components and interfaces to third parties, the review of key controls for completeness and accuracy of the inventory and the evaluation of procedures for identifying threats and their consequences.

The protection concept should be based on the identified risk situation and strategy. This includes protection mechanisms in the area of access controls, measures to prevent data loss (data loss prevention), network and infrastructure security measures, such as various firewalls, as well as the implementation of and compliance with standard configurations and system hardening.

In this area, institutions need appropriate tools and use cases to detect and analyse anomalies based on various data points. However, it is first necessary to define what is considered an anomaly and to what extent the analyses should be applied. Banks must also be prepared for emergencies and define and keep up-to-date response plans.

Banks need adequate plans and processes for restoring the normal state. The focus here should be on the back-up processes and where the data is stored. The recovery processes must be regularly tested for operational effectiveness and lessons learnt from weaknesses.

Vulnerability analyses and penetration tests have long been familiar to the industry. However, more than just analyses and their reports are relevant for demonstrating effective vulnerability management. Banks would do well to demonstrate that vulnerabilities are closed quickly and that the processes established for this are efficient. Furthermore, it is essential to have vulnerability analyses and penetration tests carried out by capable parties.

In practice, (core banking) systems, applications, tools or even entire IT departments are outsourced by banks. This brings further complexity into play when implementing these measures. For example, while the strategy, including risk tolerance, must be defined by the banks themselves, the technical measures must be implemented by external third parties. The banks are responsible for implementing appropriate monitoring measures and reacting to any weaknesses at third-party providers. Another point is that the banks must fulfil their duty to report cyber incidents to FINMA and the National Cyber Security Centre (NCSC) in good time, even if the incidents occur at a service provider.

Economic challenge

Banks must first develop an in-depth understanding of the cyber risks and threats to which they are exposed and define the risks against which they want to protect themselves at an institutional level. An effective security strategy must be integrated into business processes from the outset in order to avoid high follow-up costs. The security strategy should run through all levels of the organisation and define clear responsibilities, including the Board of Directors and the Executive Management. Last but not least, the control functions within the bank should also be strengthened. Involving the right functions and people in the organisation at an early stage is crucial to ensure that security considerations are an integral part of the business strategy and operations. In addition, the right decisions need to be made about which processes can be outsourced and which should remain in-house, while ensuring control of the service providers.

The above-mentioned considerations and measures also have an economic impact. The (further)-development of strategy, risk management and generally adequate expertise is associated with costs. The increased control mechanisms, such as the higher audit cadence of the second and/or third line of defence or investments in suitable protection and/or monitoring systems are also associated with costs. With regard to outsourcing, banks must ensure that their service providers implement appropriate security measures. Banks may need to invest in their ability to monitor these risks or buy in external expertise. This is likely to lead to an increase in operating costs, but is a necessary step to ensure long-term institutional stability and avoid serious security breaches. However, these investments and additional costs are also necessary in order to increase the security of banks and not lose the trust of customers and society. A serious cyber incident costs the affected institution more than the necessary investments. This is why the strategic question arises in the area of cyber; how much is the trust of my customers worth to me as a bank and how much am I prepared to pay? In this complex and multi-layered task, the involvement of external experts can be of great benefit. After all, developing a comprehensive strategy and implementing effective measures are the key to intelligent risk management in an increasingly digital world.

Contact us

Johannes Dohren

Partner, Cybersecurity and Privacy, PwC Switzerland

+41 58 792 22 20

Email

Alexander Locher

Senior Manager, Risk Consulting and Internal Audit Financial Services, PwC Switzerland

Email