Cyber Risks in FINMA’s Focus

Cyber risks are among the most significant operational risks in the financial sector. FINMA makes it clear that the threat landscape is not only persistently high but continues to intensify. Attacks are becoming more professional, more complex and more targeted. At the same time, digitalization, cloud adoption and outsourcing are structurally expanding the attack surface of many institutions.

Cyber risk is therefore no longer a purely IT issue. It affects governance, risk management, internal control systems and strategic decision-making processes. FINMA expects supervised institutions to adopt an integrated, risk-based and controllable approach to managing cyber threats.

Key Takeaways

Cyber risks are among the central operational risks in the financial market.
The attack surface is expanding due to connectivity, cloud solutions and third-party providers.
Cyber risks must be firmly embedded in governance and risk management.
Outsourcing and third-party dependencies are major risk drivers.
Institutions must report cyber incidents promptly.
Scenario-based exercises and recovery testing are essential.
Cyber resilience means protection, detection, response and recovery.

Cyber Risks as a Strategic Issue

FINMA emphasizes that cyber risks must not be treated in isolation but as an integral component of operational risk management. Technical security measures alone are not sufficient. What matters is holistic management across four dimensions:

Prevention
Detection
Response
Recovery

These elements must be organizationally embedded, documented and regularly tested.

Cyber attacks are increasingly targeted and often exploit weaknesses in outsourced services or external providers. The growing interconnection between financial institutions, IT service providers and platform operators increases systemic risk.

Governance: Responsibility at the Highest Level

A central concern of FINMA is the clear anchoring of cyber risks within governance structures. This means:

The board of directors and executive management are responsible for the strategic management of cyber risks.
Cyber risks must be part of the risk strategy.
Reporting to senior leadership must be structured and risk-oriented.
Risk tolerances must be clearly defined.

Cyber risk cannot be delegated purely as a technical matter. It is a leadership and oversight responsibility.

Outsourcing and Third-Party Risk

A significant portion of reported cyber incidents is linked to external service providers. Cloud providers, IT vendors, software providers or outsourced support functions expand the risk landscape considerably.

FINMA expects:

A complete inventory of all critical service providers
Clear classification of outsourced functions
Contractually defined security requirements
Monitoring mechanisms and control rights
Inclusion of third parties in emergency and crisis exercises

Without transparent management of outsourcing risks, structural vulnerabilities arise.

Detection and Response Capabilities

Many institutions operate technical monitoring systems. However, the challenge often lies in organizational coordination.

Key questions include:

Who makes decisions during an incident?
How quickly are escalation procedures triggered?
What communication channels are defined?
How are regulatory reporting obligations fulfilled?

FINMA requires clearly defined processes for identifying, analyzing and managing cyber incidents. This extends beyond IT security and involves institutional crisis management capability.

Recovery and Resilience

An often underestimated aspect is recovery capability. Cyber resilience means remaining operational even in the event of a successful attack.

This includes:

Tested backup strategies
Realistic recovery plans
Regular emergency exercises
Simulation-based testing under realistic conditions

Paper-based contingency plans are not sufficient. What matters is actual functionality under stress conditions.

Reporting Obligations and Transparency

Cyber incidents must be reported to the supervisory authority within defined timeframes. This reporting obligation is not only about regulatory transparency but also about safeguarding overall financial system stability.

Institutions therefore require clear internal processes to:

Properly classify incidents
Fulfill reporting obligations on time
Prepare information consistently

Lack of clarity in internal structures can lead to significant delays.

Conclusion

FINMA makes it clear: cyber risks are a strategic core issue for financial institutions. They affect not only IT departments but governance, risk management, internal controls and executive leadership.

Effective cyber risk management is characterized by:

Clear responsibilities
Integrated governance structures
Systematic third-party oversight
Strong detection and response mechanisms
Tested recovery processes

Cyber resilience is not a static condition but a continuous development process. Institutions that actively manage cyber risks and integrate them into their overall strategy strengthen not only regulatory compliance but also long-term stability and trust.

FAQ

What does FINMA mean by cyber risks?
Cyber risks are operational risks arising from cyber attacks, technical vulnerabilities, third-party dependencies and organizational weaknesses.

Why is cyber risk a governance issue?
Because it affects strategic decisions, risk tolerances, reporting structures and accountability at the highest level.

What role do third parties play?
External service providers significantly expand the attack surface and must be actively integrated into risk analysis, contractual arrangements and contingency planning.

What does cyber resilience mean in practice?
The ability to prevent attacks, detect them early, respond effectively and restore operations quickly.

How should institutions prepare?
By embedding cyber risks into governance structures, defining clear escalation processes, conducting regular exercises, testing recovery plans and fostering a company-wide risk culture.