FINMA Risk Monitor 2022 – Top 4 Cyber Risks controls

On 10.11.2022, FINMA published its 2022 Risk Monitor. It provides an overview of what FINMA believes are the most important risks that supervised institutions are facing today. One of the key risks, amongst interest rate risk, credit risk, market risk, AML, and market access to Europe, are Cyber Risks.

We would like to share with you the top 4 internal controls regarding Cyber Risks you have to have in place as an asset manager, no matter whether you are operating under the direct supervision of FINMA or are subject to supervision by a supervisory organization (SOs).


risques asset management


Control 1: Annual IT-Risk-Self-Assessment

At least annually, ensure your IT-Responsible(s) carry out an IT-Risk-Self-Assessment. Ideally, this is required by your IT-Security Policy. The assessment should be carried out with a standardized questionnaire to track changes (improvements) over time. After completion, ensure the results are discussed with top management, action plans are developed and implemented in due time.

Be aware that it also applies if you have outsourced your IT or any other services completely or partially. With respect to outsourced activities: make sure, you periodically review the IT-Security-Setup of your external partners. Their security issues might become yours very quickly. The best way to cover this task is to initiate a separate control covering your outsourcing risks (on-boarding, instructing /review / monitoring, off-boarding of outsourcing partners).


Control 2: Annual Disaster-Recovery Test

At least once a year, ensure you actually do carry out at least one properly designed and carefully planned disaster-recovery test (your BIA can give you hints on what to look out for or what to test) with a complete protocol of events, findings and actions to be taken. Disaster-Recovery Plans look nice on paper, but can proof to be very useful.


Control 3: Review of IT-Security Policy

At least annually, you should review your IT-Security Policy and potentially take into account findings from your IT-Risk-Self-Assessment and your Disaster-Recovery Test. For all your policies, set an expiry date. This forces you to review and reapprove them.


Control 4: Cyber Risk Awareness and Training

At least every 6 months, ensure all your staff undergoes an IT-Security Awareness-/Training session. In general, the weakest link in your IT-Security-Setup is human. Walk your team through your IT-Security-Policy, elaborate on past incidences, tell them how to report incidences, how to act if in doubt. Instead of the HR Departement, identify an expert to carry out these sessions.

Also, make sure all your employees, in particular your executives are fully aware of the “FINMA Guidance 05/2020” (Duty to report cyber-attacks pursuant to Article 29 para. 2).

In case you have outsourced your IT or any other services, ensure your outsourcing partners are aware of this FINMA guidance and fully understands its implications. It’s your duty to properly instruct them.


risques asset management


These four controls cover the basis. It’s a good starting point for more elaborate, maybe more technical and process-oriented controls further down the line.

Updated at 28 March 2023

Share this article