Press release

Cyber risks: FINMA publishes guidance

The Swiss Financial Market Supervisory Authority FINMA is publishing its findings from its supervisory activities in the area of cyber risks in guidance. It is also providing further details on the obligation to report cyber attacks and scenario-based cyber risk exercises.

FINMA has consistently identified cyber risks as one of the main risks facing the Swiss financial centre for several years now (see Risk monitor). In guidance, FINMA is now providing information on the findings from its supervisory activities in the area of cyber risks and drawing attention to shortcomings it has identified repeatedly. FINMA is also providing further details on the requirements for reporting cyber attacks and conducting scenario-based cyber exercises.

Outsourcing as a risk driver

In 2022 and 2023, more than half of the reported cyber attacks involved outsourced services. FINMA also very frequently identifies weaknesses in this area as part of its supervisory activities with regard to cyber risks. In addition to outsourcing, there is a recurring focus on other topics, such as governance in dealing with cyber risks.

Expanded range of supervisory instruments

Furthermore, FINMA has introduced additional cyber-specific supervisory tools in recent years, such as red teaming and tabletop exercises with the supervised institutions. Red teaming exercises involve security experts taking on the role of an attacker and attempting to breach a company’s cyber security defences by replicating the attack methods of a malicious hacker. In tabletop exercises, a scenario is simulated and played out on paper. The identified risks are continuously analysed, evaluated and summarised in a heat map.

Comprehensive supervisory activities in the cyber area

Supervised institutions are obliged to report cyber attacks to FINMA. FINMA also carried out more than a dozen cyber-specific on-site supervisory reviews last year. The reports received from the supervised institutions or audit firms and FINMA’s own cyber-specific on-site supervisory reviews enable FINMA to assess the quality of the supervised institutions’ cyber defences in depth and, if necessary, to take institution-specific measures at an early stage.


Patrizia Bickel, Spokesperson
Phone +41 (0)31 327 93 19

Press release

Cyber risks: FINMA publishes guidance

Updated: 07.06.2024 Size: 0.25  MB
Add to personal download list
FINMA Guidance 03/2024

Findings from FINMA’s cyber risk supervision, clarification of FINMA Guidance 05/2020 and scenario-based cyber risk exercises

Updated: 07.06.2024 Size: 0.33  MB
Add to personal download list