Cyber attacks on financial institutions are increasing in frequency and sophistication. FINMA expects supervised entities to maintain robust cyber security programmes integrated with operational risk management. For Swiss banks, FinTech companies, and asset managers, cyber compliance is not a standalone IT concern — it is a regulatory obligation with direct supervisory consequences. This guide covers FINMA expectations and practical implementation steps.

FINMA Cyber Security Expectations

FINMA addresses cyber risk through multiple instruments: operational risk guidance in Circular 2023/1, the 2018/3 outsourcing circular for cloud security, and thematic reviews on cyber resilience. Core expectations include:

  • Board and senior management accountability for cyber risk
  • Documented information security policy aligned with recognised frameworks (ISO 27001, NIST, CIS Controls)
  • Risk-based approach to identifying, assessing, and mitigating cyber threats
  • Incident detection, response, and reporting capabilities
  • Regular testing including vulnerability assessments and penetration tests
  • Employee awareness training and phishing simulation programmes

Who Must Comply?

All FINMA-supervised institutions face cyber security requirements proportional to their size and risk profile. This includes banks, securities firms, asset managers, insurance companies, and FinTech licence holders. SRO-supervised financial intermediaries handling client data and payment flows should adopt equivalent controls even where not explicitly mandated.

Building a Cyber Security Programme

1. Governance and Risk Assessment

Establish a Chief Information Security Officer (CISO) or equivalent role with board reporting lines. Conduct annual cyber risk assessments covering assets, threats, vulnerabilities, and existing controls. Map critical systems and data flows — particularly client assets, payment rails, and authentication systems.

2. Technical Controls

Implement defence-in-depth: network segmentation, multi-factor authentication, encryption at rest and in transit, endpoint protection, and security information and event management (SIEM). Cloud-hosted FinTech infrastructure must address shared responsibility models with providers assessed under FINMA outsourcing requirements.

3. Incident Response

Maintain a documented incident response plan with defined roles, escalation paths, and communication templates. Significant cyber incidents must be reported to FINMA without delay — parallel reporting to the National Cyber Security Centre (NCSC) may also be required. Post-incident reviews with root cause analysis and remediation tracking are expected.

4. Penetration Testing and Red Teaming

FINMA expects regular independent security testing proportional to institution size. Annual penetration tests of external-facing systems are minimum baseline; larger institutions conduct red team exercises simulating advanced persistent threats. Findings must be remediated with tracked timelines and retested.

5. Business Continuity Integration

Cyber resilience connects directly to business continuity planning. Recovery time objectives for critical systems, offline backup strategies (including immutable backups against ransomware), and crisis communication plans must be tested alongside traditional BCP exercises.

Cyber and Data Protection Overlap

Data breaches trigger obligations under both cyber incident reporting and the revised FADP. Coordinate incident response procedures to address FINMA notification, FDPIC breach reporting, and client communication simultaneously.

Common Pitfalls

  • Checkbox compliance — Policies without operational security controls fail FINMA inspections.
  • Untested incident plans — Tabletop exercises reveal gaps before real incidents do.
  • Shadow IT — Unapproved SaaS tools bypass security controls and create data leakage paths.
  • Delayed patching — Known vulnerabilities exploited because patch cycles are too slow.
  • Weak vendor oversight — Cloud provider security assumed without contractual verification.

Cyber Security Compliance Checklist

  • Information security policy approved by board or senior management
  • CISO or designated security owner with defined responsibilities
  • Annual cyber risk assessment documented and reviewed
  • Multi-factor authentication enforced for all privileged access
  • SIEM or equivalent logging and alerting operational
  • Incident response plan tested within the last 12 months
  • Penetration test completed with remediation tracked
  • Employee security awareness training completed annually
  • Cloud and vendor security assessments per Circular 2018/3
  • Immutable backups tested for ransomware recovery scenarios

Cyber security compliance is continuous and evolving. Swiss financial institutions that invest in proactive defence, regular testing, and integrated incident response protect clients, reputation, and regulatory standing.