The threat landscape has changed — the governance response has not kept pace
Swiss private banking has historically operated with a relatively contained technology perimeter. A private bank's core systems — custody, portfolio management, client reporting — were largely proprietary or tightly managed, its client base was relationship-driven rather than digitally engaged, and its exposure to the kind of mass-scale cyber attacks that afflict retail banks was correspondingly limited.
That picture has changed fundamentally over the past decade. The digitalisation of client journeys, the migration to cloud infrastructure, the proliferation of third-party technology providers, and the integration of private banking platforms into broader financial ecosystems have collectively expanded the cyber attack surface of Swiss private banks to a degree that most governance frameworks have not fully registered. The threat actors have registered it, however. Targeted attacks on wealth management institutions — through phishing, social engineering, ransomware and supply chain compromise — have increased materially in frequency and sophistication.
FINMA's response to this evolving threat landscape has been a sustained escalation of its cyber risk supervisory programme. The regulator has conducted thematic reviews of cyber risk governance across the Swiss banking sector, issued guidance on ICT risk management expectations, and — through FINMA Circular 2023/1 on operational risks and resilience — codified its expectations for cyber risk management as a component of broader operational resilience. The introduction of DORA has added a further layer of regulatory obligation for institutions with EU nexus. The combined supervisory message is unambiguous: cyber risk management is a governance obligation, not a technology function.
The Swiss cyber risk regulatory framework is anchored in FINMA Circular 2023/1 (Operational risks and resilience — banks), which superseded the earlier Circular 2008/21 and significantly expanded the regulatory expectations for ICT and cyber risk management. For institutions with EU operations or EU client relationships, the Digital Operational Resilience Act (DORA) imposes additional obligations across five domains: ICT risk management, incident reporting, digital operational resilience testing, third-party ICT risk management, and information sharing. FINMA and EU regulators are coordinating their supervisory approaches — meaning that institutions subject to both frameworks face an integrated, not duplicative, set of obligations.
What FINMA expects: the five dimensions of cyber risk governance
FINMA's expectations for cyber risk governance in Swiss banks can be organised around five interconnected dimensions. Mature cyber risk management requires all five to be in place and functioning — an institution that excels in one dimension while neglecting another remains fundamentally exposed.
Dimension 1: governance and board oversight
FINMA's primary governance expectation is that the board of directors takes ownership of cyber risk — not by becoming technically expert, but by exercising the same quality of strategic oversight over cyber risk that it exercises over credit risk, market risk or operational risk. This means the board must receive regular, meaningful reporting on the institution's cyber risk position; must understand the principal threats and the adequacy of controls at a strategic level; and must satisfy itself that management has allocated adequate resources to cyber risk management.
In practice, FINMA expects to see cyber risk reflected in the board risk appetite statement, with quantified or at minimum clearly described risk tolerance limits. It expects the risk committee to have cyber risk as a standing agenda item, with reporting that goes beyond IT project updates to give a genuine risk picture. And it expects a clear escalation protocol that brings material cyber incidents to board attention promptly — not days after the fact.
Many Swiss private bank boards delegate cyber risk entirely to the CRO or CTO. This delegation is appropriate for day-to-day management, but it does not transfer board accountability. FINMA holds the board responsible for the adequacy of the institution's cyber risk governance framework — and an on-site examination that reveals the board has had no substantive discussion of cyber risk in twelve months is a governance finding, not a technology finding.
"A cyber incident is not a technology event that happens to have governance implications. It is a governance event that happens through technology."
Dimension 2: risk identification and assessment
Effective cyber risk management begins with a clear and current picture of what the institution is protecting, what the realistic threats are, and where the principal vulnerabilities lie. This sounds straightforward but is routinely underdeveloped in Swiss private banks, where the technology asset inventory is often incomplete, threat intelligence is purchased rather than contextualised, and vulnerability assessments are conducted on a cycle that is too slow for the pace of the threat environment.
FINMA expects institutions to maintain a current and complete inventory of critical information assets — systems, data, processes and third-party dependencies that, if compromised, would cause material harm to the institution or its clients. This inventory is the foundation of the risk assessment: without it, neither the threat analysis nor the control framework can be properly calibrated.
The threat assessment should be informed by current threat intelligence relevant to the Swiss financial sector — including intelligence on the specific threat actors targeting wealth management institutions, the tactics and techniques they employ, and the indicators of compromise that detection systems should be tuned to identify. Generic cyber threat reports are insufficient; the assessment needs to be contextualised to the institution's specific profile and risk environment.
Dimension 3: protection and controls
The control framework for cyber risk in a Swiss private bank should be proportionate to the institution's risk profile — its size, complexity, client base, technology architecture and identified threat landscape. FINMA does not prescribe a specific control set, but its supervisory reviews assess whether the controls in place are commensurate with the risks identified and whether they are operating effectively, not merely documented.
The controls that receive most FINMA scrutiny in private bank examinations include identity and access management (particularly privileged access controls and multi-factor authentication); network segmentation and monitoring; patch management and vulnerability remediation processes; data loss prevention; and the security of client-facing digital channels. For institutions that have migrated to cloud infrastructure, the security of cloud configurations and the governance of cloud service provider relationships receive particular attention.
Dimension 4: detection and incident response
Detection capability — the ability to identify a cyber attack or compromise in progress — is the dimension most frequently underdeveloped in Swiss private banks relative to FINMA's expectations. Many institutions have deployed security monitoring tools but have not established the operational processes, the alert tuning, or the skilled analyst capacity to translate raw monitoring data into timely and accurate incident detection.
FINMA's incident reporting requirements add a critical time dimension to detection capability. Under FINMA Circular 2023/1, significant operational incidents — including cyber incidents — must be reported to FINMA within defined timeframes. An institution that detects an incident late cannot meet its reporting obligations. The detection-to-notification timeline is therefore a key metric for assessing the adequacy of a cyber risk management framework.
Incident response plans must be documented, assigned, and — critically — tested. FINMA's examiners will ask not only whether an incident response plan exists, but when it was last exercised, what the exercise revealed, and how the plan was updated in response. An untested incident response plan is not an incident response capability — it is a document.
Third-party ICT risk: the governance gap most institutions have not closed
The most significant structural change in Swiss private banking cyber risk over the past decade is the degree to which institutions have externalised their technology operations. Core banking, custody services, risk systems, client reporting, digital channels — all of these functions are now routinely delivered by third-party technology providers, cloud platforms, or industry utilities. The cyber risk that accompanied these functions has not been externalised with them. It has been retained by the institution, while the direct control over the risk has been transferred to the provider.
FINMA's expectations for third-party ICT risk management are clear and demanding. Institutions must conduct due diligence on the cyber risk practices of material technology providers before onboarding and on a regular basis thereafter. Service level agreements must include specific provisions for cyber incident notification and cooperation. Concentration risk in third-party ICT arrangements — where multiple critical functions depend on a single provider or a small number of providers — must be assessed and managed. And exit strategies must be documented and feasible, not merely theoretical.
Cyber risk maturity: where does your institution stand?
Swiss private banks vary enormously in their cyber risk maturity — from institutions with sophisticated, independently validated cyber risk programmes to those where cyber risk remains an informal IT function with no meaningful governance integration. The following maturity framework provides a structured basis for self-assessment.
| Dimension | Basic / Developing | Mature / Advanced |
|---|---|---|
| Board oversight | Cyber risk delegated entirely to CTO / IT. Board receives annual update. No risk appetite statement for cyber. | Cyber risk in board risk appetite. Risk committee receives quarterly reporting. Escalation protocol tested. |
| Asset inventory | Partial inventory. Critical assets not formally classified. Third-party dependencies not mapped. | Complete, current inventory. Critical assets classified by business impact. Third-party map maintained. |
| Threat intelligence | Generic threat feeds. No contextualisation to institution's profile. No threat actor tracking. | Sector-specific intelligence. Contextualised to institution. Threat actor profiles maintained and updated. |
| Incident response | Response plan exists but untested. No defined notification timelines. Board notification informal. | Plan tested annually. FINMA notification timelines embedded. Board notification protocol exercised. |
| Third-party risk | Basic contractual provisions. No ongoing monitoring. Exit strategies not documented. | Full lifecycle management. Annual reviews. Concentration risk assessed. Exit strategies tested. |
| Recovery capability | BCP exists but not cyber-specific. RTO/RPO not defined for cyber scenarios. No lessons-learned process. | Cyber-specific recovery plans. RTO/RPO tested in exercises. Post-incident review formally documented. |
DORA's impact on Swiss private banks: what changes and what does not
The Digital Operational Resilience Act entered into force across EU financial institutions in January 2025. For Swiss private banks, the direct application of DORA depends on their EU nexus — specifically, whether they have EU-regulated subsidiaries, serve EU clients through regulated entities, or rely on ICT providers subject to DORA's third-party provisions. Many Swiss private banking groups will find that DORA applies to at least some entities within their group perimeter, even if the Swiss parent is not directly subject to it.
Where DORA applies, it brings three material changes beyond what FINMA Circular 2023/1 already requires. First, the ICT incident classification and reporting framework is more granular and prescriptive than FINMA's current requirements — institutions subject to DORA must assess incidents against specific classification criteria and report within defined timeframes to their competent authority. Second, DORA mandates a programme of digital operational resilience testing — including, for significant institutions, threat-led penetration testing (TLPT) conducted by qualified external testers using live production systems. Third, DORA's third-party ICT risk requirements are more detailed than FINMA's current framework, particularly regarding the oversight of critical ICT third-party providers designated by EU supervisory authorities.
For Swiss private banking groups navigating both FINMA and DORA requirements, the practical approach is to design the cyber risk and operational resilience framework to the higher standard — which, depending on the specific obligation, may be either FINMA or DORA — and document the mapping between the two frameworks. This avoids the inefficiency of maintaining parallel frameworks and gives both regulators a consistent evidence base for supervisory assessment.
Building a cyber-resilient culture: the human dimension
No technical control framework is sufficient if the institution's people remain its most exploitable vulnerability. Social engineering — phishing, vishing, pretexting — remains the most common initial access vector in attacks on financial institutions, including private banks. The sophistication of these attacks has increased dramatically with the availability of AI-generated content: phishing emails that are grammatically correct, contextually relevant, and superficially indistinguishable from legitimate communications are now routine.
Building genuine cyber awareness — not compliance training that staff click through annually, but a risk culture in which staff recognise and respond appropriately to suspicious activity — requires sustained investment in communication, simulation, and consequence management. FINMA's examiners assess the quality of cyber awareness programmes as part of governance reviews. Institutions that can demonstrate a reduction in phishing simulation click rates, prompt reporting of suspicious activity, and clear escalation behaviour from client-facing staff are demonstrating the human layer of their cyber risk management — and it matters.
Senior management and board members deserve particular attention in this context. They are the highest-value targets for sophisticated attackers — and often the least subject to security controls, out of a misplaced deference to seniority. Business email compromise attacks targeting bank executives, CFOs and board members have caused material financial losses across the Swiss financial sector. The cyber risk management programme that does not explicitly address the security behaviour of senior leadership has left its most valuable targets unprotected.
The board question that matters most
After reviewing cyber risk governance frameworks across the Swiss private banking sector, one question proves more diagnostic than any other in assessing board-level cyber risk maturity: If your institution suffered a significant cyber incident tonight, what would happen in the first twelve hours?
The answer to this question — who would be notified, in what sequence, by what channel; what decisions would be made and by whom; when FINMA would be informed and by whom; how clients would be communicated with; who has authority to take systems offline if necessary — reveals whether the incident response framework is operational or merely documented. Boards that cannot answer this question with confidence have not discharged their governance responsibility for cyber risk, regardless of how many cyber risk reports they have received or how sophisticated the institution's technical controls are.
The institutions that manage cyber risk well are those whose boards have asked this question, found the answer unsatisfactory, and invested in making it satisfactory. That investment — in governance clarity, tested response capability, and informed board oversight — is the foundation of genuine cyber resilience. Technology helps. Culture matters. But governance is where it starts.