The Swiss Financial Market Supervisory Authority (FINMA) has issued cyber risk guidelines requiring all regulated entities to report cyber attacks, submitting a preliminary report to FINMA within 24 hours of discovery.

Within these 24 hours, the regulated entity should conduct an initial assessment of the severity of the cyber attack to determine if it meets the threshold for reporting to FINMA. Entities also subject to reporting obligations under the Information Security Act (ISA; RS 128) can submit the 24-hour notification using the National Cyber Security Centre (NCSC) report form, selecting the option to forward the report to FINMA, provided it is completed within the deadline.

If the service providers of the institution (such as hospitals, asset management companies, law firms) are not significant outsourcing partners as referred to in FINMA Notice 18/3 "Outsourcing", the institution must ensure that the service provider informs them of any cyber incidents. If the institution classifies the cyber incident reported to it as a relevant event as defined in FINMA Guideline 05/2020, the institution must also submit the required report to FINMA in such cases.

Cyber attacks classified as "severe" must be reported to FINMA within 24 hours, even outside banking business days.

The reporting obligations for outsourced functions are as follows: according to FINMA Circ. 18/3 Margin No. 23, the regulated institution has the same responsibility towards FINMA as if it were performing the outsourced functions itself. This means that once the institution or the third-party provider of the outsourced function discovers a cyber incident, the reporting period immediately begins, ensuring that institutions without any outsourced functions receive the same regulatory treatment.

For cyber attack reports classified as "moderate" in severity, a conclusive root cause analysis is required, including at least an internal or external investigation and forensic report. For cyber attack reports classified as "high" or "severe" in severity, the root cause analysis should include the following:

• Reasons for the success of the cyber attack;
• Impact of the attack on regulatory compliance, institutional operations, and customers;
• Mitigation measures taken to address the consequences of the attack.
• For "severe" cyber attacks, proof and analysis of the normal operation of the crisis organization must also be submitted.