Mr Schumacher, the FINMA Risk Monitor 2025 once again contains clear warning signals. How does FINMA assess the current cyber threat situation?
The Swiss financial sector is facing increasing challenges in cyber security. Technological interconnectedness and external dependencies on third-party providers raise the risks. An integrated approach to protection, detection, response and resilience remains paramount.
Where do you see the greatest dangers, specifically?
The current risk landscape is characterised by increased complexity. Non-financial risks, such as cyber attacks, are gaining in importance alongside financial risks. The Risk Monitor shows that the Swiss financial sector was also a preferred target of cyber criminals in 2025. Banks, insurance companies and other financial institutions are exposed to a particularly high risk due to their technological interconnectedness, their critical services and their dependencies on external service providers. Attackers are becoming increasingly professional and their methods are evolving, especially through faster automation and the use of generative AI. At the same time, at many institutions, cyber risk management is still inadequately coordinated. The organisation and control of cyber security measures often take place in isolation within IT, without sufficient embedding in governance, in the internal control system or in operational risk management.
What do you mean by cyber risks are inadequately coordinated?
A modern security concept does not consist of individual technical measures but of coordinated, risk-based security mechanisms. There are still significant blind spots, particularly with cloud platforms and other external infrastructure. Requirements are not defined consistently, the effectiveness of security measures is not fully demonstrated and there is often a lack of seamless integration into the detection system. Audit reports from service providers are also often not consistently analysed for cyber relevance. This creates gaps at central interfaces, which are deliberately exploited by attackers.
Where do you see further need for optimisation?
In detection and response. The ability to identify, prioritise and contain security-critical events quickly is essential. Although many institutions have monitoring tools, institution-specific use cases, clear operational responsibilities in critical situations and regular tests of response processes are often lacking. Without consistent integration of governance, detection and response, the effectiveness of individual solutions remains limited.
Another central point is the recovery capability after cyber incidents. Where are the greatest challenges there?
Although cyber scenarios should have been part of business continuity management for years, their implementation and joint exercises with service providers are often neglected. Backups are only valuable if they function under real conditions. Insights from tests and actual incidents must feed into the processes to strengthen resilience. Only the combination of protection, detection, response and recovery produces robust operational resilience.
How important is an integrated perspective for the resilience of the institutions?
To control cyber risks effectively, an integrated perspective must be achieved in such a way that it clearly transfers cyber aspects to line responsibility and overall risk management. Risk identification, assessment and documentation must be carried out uniformly and relevant security controls must be formally included in the internal control system and tested for their effectiveness. The handling of outsourced functions is especially important here. Responsibilities, escalation paths and the control of the security level at service providers must be institutionalised, as problems at a few critical service providers can increasingly affect several institutions simultaneously. FINMA also observed a sharp increase in reports of cyber attacks via supply chains and third parties in 2025, as well as more data thefts by insiders, readily demonstrating the relevance of an effective framework for insider threats and anomaly detection.
What does all this mean for the stability of the financial centre?
Cyber resilience has become a key factor for the stability of the Swiss financial centre. The question is no longer about whether or when an institution will become the target of a cyber attack. It’s about how resilient it is in dealing with the attack. Furthermore, the quality differences lie not in the technology but in the interplay of governance, risk culture, technical protection, response capability and recovery competence. Though the institutions have the necessary foundations, what counts is how well they can deploy them in an emergency.
What role will FINMA play in the future?
FINMA continues to define cyber issues as one of the top risks. It focuses on data-based supervision and strengthens the assessment of the cyber security arrangements of the supervised entities with suitable instruments, such as scenario-based cyber exercises, for example. In this way, FINMA is committed to protecting financial market clients and to the seamless functioning of the financial markets.
