40% of all reported cyberattacks in Switzerland target financial institutions (NCSC). Average cost per successful attack: CHF 5.9 million. FINMA requires regular penetration tests and risk assessments under Circular 2023/1. Systemically important institutions must conduct TIBER-CH red team tests.

Below: FINMA requirements, the TIBER-CH framework, sector-specific threats, and proven security strategies for Swiss banks, insurers, and asset managers.

Why Is the Swiss Financial Sector Particularly at Risk?

Switzerland manages approximately 27% of global cross-border wealth — a volume exceeding CHF 7.9 trillion (SNB, 2025). This concentration of assets makes the Swiss financial centre a primary target for state-sponsored hacking groups (APTs), organised cybercrime, and insider threats.

Key Threats at a Glance

Advanced Persistent Threats (APTs): State-backed groups such as APT28 (Russia), Lazarus Group (North Korea), and APT41 (China) have demonstrably targeted Swiss financial institutions. These attacks aim for long-term access to sensitive transaction data and intellectual property.

Ransomware Attacks: The number of ransomware attacks on Swiss financial institutions rose by 87% between 2023 and 2025 according to the NCSC. The average ransom demand stands at CHF 2.3 million, while total costs including downtime and recovery are three to five times higher.

Supply Chain Attacks: The SolarWinds incident demonstrated how vulnerable even well-protected financial institutions can be through their supply chain. 73% of Swiss banks use at least one third-party provider that experienced a security incident in the past three years (SIX Cyber Security Report, 2025).

Business Email Compromise (BEC): Swiss financial institutions lost an estimated CHF 340 million to BEC attacks in 2024. Attackers increasingly use AI-generated deepfake voices and videos to authorise transfers.

Insider Threats: According to the IBM X-Force Threat Intelligence Index 2025, 22% of all security incidents in the financial sector are attributable to insiders — whether through negligence, compromised credentials, or malicious actions.

“The Swiss financial centre, due to its global significance and the concentration of managed assets, is a top-three target for Advanced Persistent Threats worldwide. FINMA’s regulatory requirements are therefore not excessive but absolutely necessary.” — Dr. Florian Schütz, Director of the Federal Office for Cybersecurity (BACS)

What FINMA Requirements Apply to Cybersecurity?

The Swiss Financial Market Supervisory Authority FINMA has established a thorough regulatory framework for cybersecurity at financial institutions. Non-compliance can lead to sanctions ranging from fines to revocation of banking licences.

FINMA Circular 2023/1 “Operational Risks and Resilience”

This circular replaces and expands the former Circular 2008/21 and represents the central legal basis for cybersecurity in the Swiss financial sector. Key requirements include:

  • Governance: Financial institutions must establish clear cybersecurity accountability at executive management level. A CISO or equivalent function is mandatory for supervised institutions.
  • Risk Management: Systematic identification, assessment, and mitigation of cyber risks according to a recognised framework (e.g., NIST CSF, ISO 27001).
  • Protection Requirements: Implementation of defence-in-depth strategies including network segmentation, encryption, multi-factor authentication, and Endpoint Detection & Response (EDR).
  • Detection and Response: Financial institutions must have a Security Operations Centre (SOC) or corresponding managed service ensuring 24/7 monitoring.
  • Reporting Obligations: Material cyber incidents must be reported to FINMA within 24 hours. From 2026, a tightened reporting deadline of 4 hours applies for critical incidents.
  • Third-Party Risks: IT outsourcing must be contractually secured and regularly audited. Cloud usage requires a specific risk analysis.

FINMA Supervisory Communication 05/2020 “Cyber Risks”

This supervisory communication specifies FINMA’s expectations for cybersecurity management:

  • Annual penetration tests for all customer-facing systems
  • Red team assessments at least every two years for systemically important institutions
  • Regular tabletop exercises for cyber incident readiness
  • Documented and tested incident response plans
  • Regular reporting to the board of directors

Sanctions for Non-Compliance

FINMA has extensive sanctioning powers. In the last three years, FINMA has initiated eight enforcement proceedings due to inadequate cybersecurity. Consequences range from formal warnings and the appointment of an investigating officer to fines of up to CHF 10 million and the theoretical revocation of licences.

What Is TIBER-CH and How Does the Framework Work?

TIBER-CH (Threat Intelligence-Based Ethical Red Teaming — Switzerland) is the Swiss equivalent of the European TIBER-EU framework. Developed by the Swiss National Bank (SNB) in collaboration with the financial sector, it aims to test the resilience of systemically important financial institutions against realistic cyberattacks.

The Three Phases of TIBER-CH

Phase 1 — Threat Intelligence: A specialised threat intelligence provider creates a tailored threat intelligence profile of the target institution. This includes an analysis of relevant threat actors, their tactics, techniques, and procedures (TTPs), and potential attack paths.

Phase 2 — Red Team Testing: Based on the threat intelligence profile, an independent red team conducts a covert attack on the institution’s production systems. The test simulates realistic attack scenarios over a period of 8 to 12 weeks, typically encompassing:

  • Social engineering and phishing campaigns
  • Perimeter breach and lateral movement
  • Access to critical functions (e.g., payment systems, trading platforms)
  • Data exfiltration and persistence mechanisms

Phase 3 — Closure: In the closing phase, the results are analysed in a purple teaming workshop together with the institution’s blue team. Specific improvement measures are defined and prioritised.

Cost of a TIBER-CH Assessment

A complete TIBER-CH assessment typically costs between CHF 250,000 and CHF 600,000, broken down as follows:

  • Threat Intelligence: CHF 50,000–120,000
  • Red Team Testing: CHF 150,000–350,000
  • Purple Teaming and Reporting: CHF 50,000–130,000

For information on red team assessment costs in Switzerland, RedTeam Partners offers transparent pricing models.

Who Must Conduct TIBER-CH?

The SNB currently recommends TIBER-CH tests for systemically important financial market infrastructures and systemically important banks. These include SIX Group, UBS, and other institutions classified as systemically important by the SNB. For other supervised institutions, TIBER-CH is voluntary but increasingly viewed by FINMA as best practice.

An effective cybersecurity strategy for Swiss banks is based on the principle of layered defence (Defence in Depth) and considers the specific regulatory requirements of the Swiss financial centre.

Zero Trust Architecture

The zero trust model is particularly relevant for financial institutions as it replaces the traditional perimeter-based security model with an identity-centric approach. Core principles:

  • Verify explicitly: Every access request is verified against multiple data points (identity, location, device health, service).
  • Least privilege access: Users and systems receive only the minimum necessary permissions.
  • Assume breach: The architecture assumes an attacker is already in the network and minimises impact through microsegmentation.

Swiss banks that have implemented zero trust architecture report 60% fewer successful attacks and 75% lower lateral movement rates according to a SIX study.

Security Operations Centre (SOC)

FINMA expects supervised institutions to maintain 24/7 monitoring. For smaller banks and asset managers, operating an in-house SOC is often not economical — managed SOC services offer an alternative:

  • In-house SOC: Starting from 5 analysts, annual costs CHF 1.5–3 million
  • Hybrid SOC: Combination of internal staff and external provider, CHF 600,000–1.2 million
  • Managed SOC: Fully outsourced, CHF 180,000–480,000 per year

Incident Response and Business Continuity

A documented and regularly tested incident response plan is non-negotiable for financial institutions. FINMA expects:

  • Defined escalation levels and communication pathways
  • Identified critical business processes and recovery times (RTO/RPO)
  • Regular tabletop exercises (at least semi-annually)
  • Annual full-scale simulations for systemically important institutions
  • Integration with the institution’s overall crisis management

How Do Swiss Banks Protect Their Cloud Infrastructure?

Cloud adoption in the Swiss financial sector has increased significantly in recent years. According to an EY Switzerland study, 89% of Swiss banks use at least one cloud service, and 45% run business-critical applications in the cloud (as of 2025).

FINMA Requirements for Cloud Usage

FINMA sets specific requirements for cloud usage by financial institutions:

  • Risk Analysis: A thorough risk analysis must be conducted before any cloud migration.
  • Data Residency: Particularly sensitive data (customer data, transaction data) must be processed in Switzerland or in countries with an adequate level of data protection.
  • Exit Strategy: Financial institutions must be able to migrate their data and services from a cloud provider at any time.
  • Encryption: Data must be encrypted in transit and at rest, with key management ideally remaining with the institution (Bring Your Own Key / Hold Your Own Key).

Cloud Security Best Practices

The following cloud security measures are recommended for Swiss banks:

  • Cloud Security Posture Management (CSPM) for continuous compliance monitoring
  • Cloud Workload Protection Platforms (CWPP) for containers and serverless
  • Cloud Access Security Broker (CASB) for controlling cloud access
  • Regular cloud-specific penetration tests
  • Infrastructure as Code (IaC) security scanning in the CI/CD pipeline

What Does Cybersecurity Cost for Swiss Financial Institutions?

Cybersecurity expenditure in the Swiss financial sector varies significantly depending on institution size, complexity, and regulatory classification. As a rule of thumb:

Institution SizeAnnual IT BudgetCybersecurity ShareCybersecurity Budget
Major Bank (UBS class)CHF 4+ bn12–15%CHF 500M+
Mid-sized BankCHF 50–200M10–13%CHF 5–26M
Small Bank / Asset ManagerCHF 5–20M8–12%CHF 400K–2.4M
Fintech / StartupCHF 1–5M10–18%CHF 100K–900K

According to the IBM Cost of a Data Breach Report 2025, the average cost of a data breach in the Swiss financial sector is CHF 5.9 million — the highest across all industries in Switzerland and 35% above the global average.

For a detailed cost breakdown, we recommend the cybersecurity cost guide for Swiss companies from Alpine Excellence.

Return on Security Investment (ROSI)

Calculating ROSI helps financial institutions justify their cybersecurity investments:

  • Avoided Costs: Average cost of a successful attack (CHF 5.9M) multiplied by the probability of occurrence
  • Regulatory Costs: Avoidance of FINMA fines (up to CHF 10M)
  • Reputational Costs: According to a study, Swiss banks lose an average of 7% of their assets under management after a publicised data breach
  • Insurance Costs: Adequate cybersecurity measures reduce cyber insurance premiums by 20–40%

How Does Red Teaming Work for Banks in Switzerland?

Red teaming is one of the most effective methods for Swiss banks to test their real resilience against cyberattacks. Unlike traditional penetration tests, a red team assessment simulates realistic, targeted attacks over an extended period.

Difference Between Penetration Testing and Red Team Assessment

CriterionPenetration TestRed Team Assessment
ObjectiveFind vulnerabilitiesTest resilience
Duration1–3 weeks4–12 weeks
ScopeDefined systemsEntire organisation
MethodologyTechnical testsMulti-vector (physical, social, technical)
Blue Team AwarenessInformedCovert
ResultVulnerability listAttack path analysis with business impact
CostCHF 15,000–80,000CHF 80,000–350,000

Special Requirements for Banks

Red team assessments for banks require specialised providers meeting the following prerequisites:

  • Experience with regulated financial institutions and FINMA requirements
  • TIBER-CH accreditation (for systemically important institutions)
  • Confidentiality agreements at banking secrecy level
  • Insurance coverage for asset damages (minimum CHF 10 million)
  • Proven experience with banking applications (core banking, SWIFT, trading platforms)
  • CREST, OSCP, or equivalent certifications for testers

Detailed information on red team assessments can be found on the thorough information page at CybersecuritySwitzerland.com.

What Role Does Banking Secrecy Play in Cybersecurity?

Swiss banking secrecy, enshrined in Article 47 of the Banking Act, has direct implications for the cybersecurity strategy of financial institutions:

Data Protection and Incident Response

  • In the event of a data breach, banks must navigate the tension between reporting obligations (FINMA, nDSG) and banking secrecy.
  • The sharing of threat intelligence data between banks is restricted by banking secrecy — although the Swiss financial sector’s Information Sharing and Analysis Centre (ISAC) has found ways to exchange anonymised threat information.
  • Cloud providers must be contractually bound to banking secrecy. The FDPIC has clarified that the use of US cloud providers for data subject to banking secrecy is only permissible under strict conditions.

Cybersecurity Personnel Recruitment

Banking secrecy places special requirements on cybersecurity personnel:

  • Extended security vetting for SOC analysts and incident responders
  • Specific NDAs that go beyond standard employment contracts
  • Restrictions on the use of offshore SOC services

How Are Swiss Banks Preparing for the Future?

The cybersecurity landscape is evolving rapidly. The following trends will shape the Swiss financial sector in the coming years:

Quantum-Safe Cryptography

Quantum computers threaten currently used encryption methods. The SNB published a position paper in 2025 calling on systemically important financial market infrastructures to submit a migration plan for post-quantum cryptography by 2028. Recommended steps:

  • Inventory of all cryptographic keys and algorithms
  • Assessment of the “harvest now, decrypt later” threat for long-term sensitive data
  • Pilot projects with NIST-standardised post-quantum algorithms (CRYSTALS-Kyber, CRYSTALS-Dilithium)
  • Hybrid encryption approaches as a transitional solution

AI-Powered Threat Detection

Artificial intelligence is revolutionising both the attack and defence sides:

  • Defensive: AI-based SIEM/SOAR systems reduce Mean Time to Detect (MTTD) by up to 67%
  • Offensive: Attackers use AI for automated phishing campaigns, deepfake-based social engineering, and polymorphic malware
  • Regulatory: FINMA increasingly expects financial institutions to integrate AI risks into their cybersecurity framework

Open Banking and API Security

With the increasing opening of banking interfaces, the attack surface grows:

  • API gateways and OAuth 2.0/OpenID Connect as security standards
  • Runtime Application Self-Protection (RASP) for API protection
  • Regular API-specific penetration tests
  • API inventory and lifecycle management

Checklist: Cybersecurity Compliance for Swiss Financial Institutions

This checklist helps Swiss financial institutions meet the most important cybersecurity requirements:

  1. Governance: CISO or equivalent function established at executive management level
  2. Framework: Recognised cybersecurity framework implemented (NIST CSF, ISO 27001)
  3. Risk Management: Regular cyber risk assessments conducted
  4. Penetration Tests: Annual tests for all customer-facing systems
  5. Red Teaming: Every two years for regulatory-required institutions
  6. SOC/Monitoring: 24/7 monitoring through internal or external SOC
  7. Incident Response: Documented plan, tested semi-annually
  8. Reporting Obligation: 24-hour reporting process to FINMA established
  9. Third-Party Risks: All IT outsourcing contractually secured and audited
  10. Cloud Security: Risk analysis, encryption, and exit strategy for cloud services
  11. Awareness: Regular security awareness training for all employees
  12. Business Continuity: BCP and DRP documented and tested annually
  13. Reporting: Regular cybersecurity reporting to the board of directors

Frequently Asked Questions (FAQ)

Is a penetration test mandatory for Swiss banks?

Yes. FINMA expects all supervised institutions to conduct annual penetration tests for customer-facing systems. For systemically important institutions, TIBER-CH requirements additionally apply.

How often must a red team assessment be conducted?

FINMA recommends red team assessments at least every two years for systemically important institutions. For other supervised institutions, it is best practice but not strictly mandatory. After significant changes to IT infrastructure (e.g., mergers, cloud migrations), an additional assessment should be conducted.

May Swiss banks use cloud services?

Yes, under strict conditions. FINMA permits cloud usage but requires a thorough risk analysis, adequate contractual safeguards, an exit strategy, and compliance with banking secrecy. Particularly sensitive data must be processed in Switzerland or in countries with an adequate level of data protection.

What does a FINMA-compliant cybersecurity programme cost?

Costs vary considerably: a small bank should budget CHF 400,000 to CHF 2.4 million per year, a mid-sized bank CHF 5 to CHF 26 million. What matters is not the absolute amount but the cybersecurity share of the IT budget (benchmark: 10–15% for regulated financial institutions).

How do I find the right cybersecurity provider for my bank?

Look for experience with regulated financial institutions, TIBER-CH accreditation (if relevant), Swiss presence, adequate insurance coverage, and relevant certifications (CREST, OSCP, GIAC). Avoid providers that cannot demonstrate references in the financial sector.

What reporting obligations apply in the event of a cyber incident?

Material cyber incidents must be reported to FINMA within 24 hours. From 2026, a 4-hour deadline applies for critical incidents. Additionally, reporting obligations may exist under the nDSG (FDPIC) and — for systemically important institutions — to the SNB. A clear reporting process with defined responsibilities is essential.

Conclusion: Cybersecurity as a Competitive Advantage

For Swiss financial institutions, cybersecurity is no longer merely a cost centre. Banks and asset managers that can demonstrate above-average cybersecurity posture increasingly win the trust of demanding clients — particularly in wealth management, where data protection and confidentiality are central selling points.

FINMA regulatory requirements, the TIBER-CH framework, and rising threats from state-sponsored hacking groups make it imperative to anchor cybersecurity as a strategic topic at executive management level. Swiss financial institutions that do this protect not only their clients and their business but also safeguard the integrity of the Swiss financial centre as a whole.