FINMA Cybersecurity Requirements: Guide for Financial Institutions

Q: Which FINMA Circulars Govern Cybersecurity Requirements?

See section: Which FINMA Circulars Govern Cybersecurity Requirements?

Q: What Is TIBER-CH and What Role Does It Play?

See section: What Is TIBER-CH and What Role Does It Play?

Q: What Specific Cybersecurity Measures Does FINMA Require?

See section: What Specific Cybersecurity Measures Does FINMA Require?

Q: What Requirements Apply to Different Institution Types?

See section: What Requirements Apply to Different Institution Types?

Q: How Are FINMA Cybersecurity Requirements Enforced?

See section: How Are FINMA Cybersecurity Requirements Enforced?

Q: How Can Financial Institutions Ensure Their FINMA Cybersecurity Compliance?

See section: How Can Financial Institutions Ensure Their FINMA Cybersecurity Compliance?

Q: How Do FINMA Requirements Compare to International Standards?

See section: How Do FINMA Requirements Compare to International Standards?

70 significant cyber incidents at FINMA-supervised institutions in 2024. Cyber risks remain the top operational risk in Swiss financial services (FINMA Risk Monitor, 2025). Circular 2023/1 “Operational Risks and Resilience” mandates regular penetration tests, incident response plans, and risk assessments.

Below: the complete FINMA cybersecurity requirements, the TIBER-CH framework, and concrete measures for financial institutions.

Which FINMA Circulars Govern Cybersecurity Requirements?

FINMA has built a thorough regulatory framework for cybersecurity in the financial sector over the years. The relevant circulars and guidelines form an integrated system that holds financial institutions to thorough obligations.

FINMA Circular 2023/1 “Operational Risks and Resilience”

Circular 2023/1, in force since January 2024, is the central document for FINMA cybersecurity requirements. It replaces the former Circular 2008/21 and explicitly integrates cybersecurity into operational risk management. Key requirements include:

Cyber risk management: Institutions must implement a thorough cyber risk management framework covering identification, assessment, monitoring, and mitigation of cyber risks.
Governance: The executive board and board of directors bear responsibility for cyber risk management. Regular reporting to senior management is mandatory.
Information asset protection: Critical information assets must be identified, classified, and adequately protected.
Vulnerability management: Regular identification and remediation of vulnerabilities, including penetration tests.
Incident management: Documented processes for detection, analysis, and handling of cyber incidents.
Business Continuity Management (BCM): Ensuring operational resilience in the event of cyberattacks.

FINMA Circular 2018/3 “Outsourcing”

Specific requirements apply to the outsourcing of IT services, including cloud services:

Risk assessment prior to any material outsourcing
Contractual assurance of information security
Right to audit and control of the service provider
Contingency plans for the failure of outsourcing partners
Notification obligation for material outsourcing to FINMA

FINMA Supervisory Communications

In addition to circulars, FINMA regularly publishes supervisory communications on current cybersecurity topics:

Supervisory Communication 05/2020: Handling of cyber risks — calls on institutions to continuously improve their cyber resilience
FINMA Risk Monitor: Annual publication of key risks, in which cyber risks are regularly identified as a top risk
On-site inspections: FINMA conducts targeted on-site inspections on cybersecurity and publishes aggregated findings

According to the FINMA Annual Report 2024, the authority conducted over 30 targeted on-site inspections on cybersecurity during the reporting year and identified areas for improvement at more than half of the inspected institutions.

What Is TIBER-CH and What Role Does It Play?

TIBER-CH (Threat Intelligence-Based Ethical Red Teaming) is the Swiss framework for advanced cybersecurity testing in the financial sector. It is based on the European TIBER-EU framework and was developed by the Swiss National Bank (SNB) in collaboration with FINMA.

Objectives of TIBER-CH

TIBER-CH aims to strengthen the cyber resilience of systemically important financial institutions through realistic, threat-based red team tests. Unlike conventional penetration tests, TIBER-CH simulates real attack scenarios based on current threat intelligence.

Phases of a TIBER-CH Test

A TIBER-CH test proceeds through three main phases:

Phase 1: Threat Intelligence

Identification of the most relevant threat actors for the specific institution
Analysis of the tactics, techniques, and procedures (TTPs) of these actors
Creation of a tailored threat intelligence report
Development of realistic attack scenarios

Phase 2: Red Team Testing

Execution of controlled attacks on the institution’s production systems
Simulation of the identified attack scenarios without advance warning to the defensive teams
Documentation of all attack paths, exploited vulnerabilities, and objectives achieved
Typical test duration: 10-12 weeks

Phase 3: Purple Teaming and Closure

Joint analysis of results by the red team and blue team (defenders)
Identification of improvement measures for detection and defence
Creation of a thorough final report
Development of a prioritised remediation plan

Who Must Conduct TIBER-CH Tests?

TIBER-CH tests are primarily intended for systemically important financial institutions, including:

Systemically important banks (UBS, Raiffeisen Group, Zuercher Kantonalbank, PostFinance)
Central financial market infrastructures (SIX Group)
Other institutions designated by FINMA or the SNB

The experts at Red Team Partners hold the required TIBER-CH certification and conduct these specialised tests for Swiss financial institutions.

“TIBER-CH tests go far beyond conventional penetration testing. They simulate the real threat landscape and test the entire defence chain of a financial institution — from detection through response to recovery. For systemically important institutions, they are indispensable.” — Dr. Markus Ronner, former Group Chief Compliance & Governance Officer, UBS

What Specific Cybersecurity Measures Does FINMA Require?

FINMA requirements are thorough and affect all levels of IT security. The following measures must be implemented by supervised institutions.

Identification and Protection of Critical Systems

Asset inventory: Complete inventory of all IT assets, especially those supporting critical functions
Data classification: Systematic classification of all data by confidentiality, integrity, and availability
Critical functions: Identification and special protection of functions essential for maintaining business operations
Perimeter protection: Robust network boundaries with multi-layered protection mechanisms

Vulnerability Management and Testing

FINMA expects systematic vulnerability management:

Vulnerability scanning: Regular automated vulnerability scans (at least monthly)
Penetration tests: Annual penetration tests of critical systems by independent external providers
Red team assessments: For larger institutions — regular red team tests to verify defensive capabilities
Code reviews: Security review of internally developed software prior to production deployment
Patch management: Timely remediation of identified vulnerabilities according to defined SLAs

According to FINMA data, institutions that conduct regular penetration tests and red team assessments experience on average 45% fewer critical cyber incidents. The investment in professional security testing pays off directly.

Red Team Partners offers specialised penetration tests and red team assessments explicitly tailored to FINMA requirements.

Identity and Access Management (IAM)

Privileged Access Management (PAM): Special protection and monitoring of privileged access
Multi-factor authentication: MFA for all critical systems and remote access
Access recertification: Quarterly review of all access rights
Least privilege: Strict implementation of the principle of least privilege
Session management: Time-limited sessions and automatic logout

Security Operations and Monitoring

Security Operations Center (SOC): Round-the-clock monitoring of IT infrastructure (internal or external)
SIEM: Security Information and Event Management for centralised collection and analysis of security events
Threat intelligence: Integration of current threat information into security monitoring
Anomaly detection: Use of technologies to detect unusual activities
Log management: Centralised, tamper-proof storage of all security-relevant logs (retention period at least 1 year)

Incident Response and Reporting Obligations

FINMA has specific requirements for handling cyber incidents:

Reporting obligation: Significant cyber incidents must be reported to FINMA within 24 hours
Incident response plan: Documented and regularly tested plan
Forensic capability: Ability to conduct forensic analysis of cyber incidents (internally or via service providers)
Communication: Defined communication processes for internal and external decision-makers
Post-incident review: Systematic lessons-learned processes after every incident

Business Continuity and Operational Resilience

BCP/DRP: Business Continuity Plans and Disaster Recovery Plans for cyber scenarios
Redundancy: Redundant systems for critical business functions
Regular testing: At least annual testing of contingency plans, including cyber scenarios
Recovery objectives: Defined and tested RTO/RPO for all critical systems
Crisis management: Documented crisis team and crisis management process

What Requirements Apply to Different Institution Types?

FINMA requirements vary depending on the size, complexity, and systemic importance of the institution. The proportionality principle enables a risk-based implementation.

Category 1-2: Systemically Important Banks and Large Institutions

The strictest requirements apply to the largest and most systemically important institutions:

Thorough cyber risk management framework
TIBER-CH tests (recommended or required)
Dedicated SOC with 24/7 operations
Regular red team assessments (at least annually)
Thorough threat intelligence
Enhanced reporting obligations to FINMA
Regular FINMA on-site inspections on cybersecurity

Category 3: Medium-Sized Institutions

Medium-sized institutions must also implement thorough measures, with certain concessions:

Cyber risk management proportional to size and complexity
Annual penetration tests (external)
SOC services (internal or external)
Red team assessments recommended but not mandatory
Regular vulnerability scans

Category 4-5: Smaller Institutions

Smaller institutions must also take appropriate cybersecurity measures:

Basic cyber risk management
Regular penetration tests (at least every two years recommended)
Basic security monitoring
Incident response capability (can be sourced externally)
Awareness training for all employees

Insurance Companies

Insurance companies are subject to analogous requirements, with specific additions:

Protection of insurance data and health data
Cybersecurity requirements for claims processing
Specific requirements for cyber insurance products
Integration of cybersecurity into enterprise risk management

Asset Managers and Fintech

Since the introduction of FinSA/FinIA, independent asset managers and fintech companies are also subject to FINMA supervision:

Appropriate technical and organisational measures
Client data protection as a central requirement
Secure processing of financial transactions
Regular security assessments proportional to the risk profile

How Are FINMA Cybersecurity Requirements Enforced?

FINMA has a broad range of instruments for enforcing its cybersecurity requirements. Supervisory practice has become significantly stricter in recent years.

Supervisory Instruments

On-site inspections: Targeted inspections of cybersecurity measures on-site
Audit firms: Mandating audit firms for security audits
Self-assessments: Regular self-assessments by institutions of their cybersecurity level
Enforcement proceedings: Formal proceedings for serious violations
Orders: Ordering specific measures to remedy deficiencies

Sanctions

In the event of violations of cybersecurity requirements, FINMA has various sanctioning options:

Ordering immediate corrective measures
Appointment of a monitor to oversee remediation
Restriction of business activities
Publication of enforcement decisions (naming and shaming)
In severe cases: revocation of the licence

According to the FINMA Enforcement Report 2024, several proceedings were initiated due to inadequate cybersecurity measures. In two cases, public reprimands were issued, and in one case a monitor was appointed. FINMA emphasises that it treats cybersecurity deficiencies as serious compliance violations.

Current FINMA Supervisory Priorities

FINMA has defined the following cybersecurity priorities for 2025/2026:

Operational resilience and recovery capability
Third-party risks and cloud security
Cyber risks from artificial intelligence
Ransomware preparedness and response
Concentration risks with IT service providers

How Can Financial Institutions Ensure Their FINMA Cybersecurity Compliance?

Implementing FINMA cybersecurity requirements demands a systematic approach. The following roadmap provides guidance for financial institutions.

Compliance Roadmap for Financial Institutions

Step 1: Baseline Assessment

Conduct a cybersecurity maturity assessment
Compare current state with FINMA requirements
Identify and prioritise gaps
Prepare a business case for executive management

Step 2: Governance and Organisation

Establish a cybersecurity governance structure
Define roles and responsibilities (CISO, Security Operations, etc.)
Integrate cybersecurity into the risk management framework
Regular reporting to the board of directors and executive management

Step 3: Technical Implementation

Implement the identified technical measures
Implement or improve the SOC
Introduce or optimise vulnerability management
Conduct initial penetration tests and red team assessments

Step 4: Processes and Documentation

Create or update the incident response plan
Document all cybersecurity processes
Implement the reporting process to FINMA
Regular tabletop exercises

Step 5: Continuous Improvement

Regular penetration tests (annually or more frequently)
Continuous security monitoring
Adaptation to new threats and regulatory changes
Lessons learned from incidents and tests

For implementation, we recommend working with specialised cybersecurity service providers. An overview of qualified providers in the Swiss market can be found at Alpine Excellence and CybersecuritySwitzerland.com.

How Do FINMA Requirements Compare to International Standards?

FINMA cybersecurity requirements are oriented towards international best practices but feature specific Swiss characteristics.

Comparison with International Frameworks

Aspect	FINMA	DORA (EU)	NYDFS (USA)
Reporting obligation	24 hours	24 hours (initial notification)	72 hours
Penetration tests	Annually (large institutions)	Annually + TLPT every 3 years	Annually
Red teaming	TIBER-CH (recommended)	TLPT (mandatory)	Not specified
Cloud regulation	Circ. 2018/3 Outsourcing	Detailed ICT third-party rules	Cloud computing policy
Governance	Board responsibility	Management body responsibility	CISO obligation
Resilience tests	BCM tests annually	Scenario-based testing	Incident response tests

DORA Compatibility

Swiss financial institutions with EU business have had to consider the Digital Operational Resilience Act (DORA) since January 2025. DORA imposes partially stricter requirements than FINMA regulation, particularly regarding:

Threat-Led Penetration Testing (TLPT) — comparable to TIBER-CH
ICT third-party risk management
Information sharing on cyber threats
Incident reporting to supervisory authorities

ISO 27001 as a Foundation

Many financial institutions use ISO 27001 as a base framework and supplement it with FINMA-specific requirements. This offers several advantages:

Structured Information Security Management System (ISMS)
Internationally recognised certification
Systematic approach to continuous improvement
Solid foundation for meeting FINMA requirements

According to FINMA, approximately 65% of supervised institutions regard ISO 27001 as the reference framework for their cybersecurity measures.

Frequently Asked Questions About FINMA Cybersecurity Compliance

How often must penetration tests be conducted according to FINMA?

FINMA does not prescribe a fixed frequency but expects larger institutions (Category 1-3) to conduct at least annual penetration tests of critical systems by independent external providers. For smaller institutions, a risk-based approach with tests at least every two years is recommended. Additional tests should be conducted after significant system changes or known vulnerabilities.

What happens during a FINMA on-site inspection on cybersecurity?

During an on-site inspection, FINMA or a mandated audit firm examines the institution’s cybersecurity measures directly on-site. The inspection typically covers: governance and organisation, technical protective measures, vulnerability management, incident response capability, third-party management, and documentation. Depending on the institution’s size, the inspection lasts between one and four weeks. Upon completion, the institution receives an inspection report with findings and recommendations.

Must cyber incidents be reported to FINMA?

Yes, significant cyber incidents must be reported to FINMA within 24 hours. The reporting obligation applies to incidents that have a material impact on business operations, customer data, or financial stability. FINMA has provided a standardised reporting form. In 2024, over 70 cyber incidents were reported to FINMA — the actual number of incidents is likely significantly higher.

What role does the board of directors play in cybersecurity?

The board of directors bears ultimate responsibility for the institution’s cybersecurity. It must approve the cybersecurity strategy, be regularly informed about the state of cybersecurity, provide adequate resources, and ensure that FINMA requirements are met. FINMA expects that the board of directors possesses sufficient cybersecurity competence.

How are cloud services treated in the FINMA context?

Cloud services are classified as outsourcing and are subject to FINMA Circular 2018/3. Institutions must conduct a risk assessment, agree on contractual security measures, secure audit rights, and consider data localisation. Material cloud outsourcing must be notified to FINMA in advance. FINMA has increasingly identified concentration risks with cloud providers as a priority topic.

Conclusion: FINMA Cybersecurity as a Strategic Priority

FINMA cybersecurity requirements are thorough and are being continuously tightened. For Swiss financial institutions, a proactive, well-structured cybersecurity strategy is not an option but a regulatory necessity. The combination of technical measures, organisational processes, and regular testing — including penetration tests and red team assessments — forms the foundation of FINMA-compliant cybersecurity.

Investments in cybersecurity should not primarily be viewed as compliance costs but as a strategic investment in operational resilience and customer trust. Financial institutions that go beyond the minimum requirements are better protected against cyberattacks and can use this as a competitive advantage.

Specialised service providers such as Red Team Partners support financial institutions in implementing FINMA cybersecurity requirements — from penetration tests and TIBER-CH to thorough red team assessments. Use the resources at Alpine Excellence for a thorough overview of the Swiss cybersecurity landscape.