Technical safeguards such as firewalls and spam filters do not protect against an employee clicking on a malicious link. Asset managers are attractive targets for phishing, business email compromise, social engineering and ransomware due to the assets they manage and their sensitive client relationships. FINMA explicitly identifies cyber risks in FINMA Guidance 03/2024 and requires regular, documented awareness training as a regulatory requirement. Effective training includes simulated phishing campaigns, sector-specific content and comprehensive documentation for audit purposes. Serious cyber incidents must be reported to FINMA (Art. 29 paragraph 2 FINMAG, FINMA Guidance 05/2020): an initial report within 24 hours, followed by a full report within 72 hours. The most important preventive measure is a well-trained workforce.
Imagine the following scenario: an employee at an asset management firm receives an email that appears to come from a custodian bank. The sender looks familiar, the logo is correct, and the content sounds plausible. It concerns an ‘urgent update to login details’ – a link is attached. The employee clicks on it.
What follows is a classic phishing attack. Login details are stolen. Without effective multi-factor authentication, an attacker may, under certain circumstances, gain access to customer files, email correspondence and internal systems. Whether such an incident must be reported to FINMA depends on its severity and the specific consequences.
This scenario is not fictional. It is one of the most common attack methods, which FINMA explicitly identifies in its annual Risk Monitor and in FINMA Guidance 03/2024 as a significant risk for supervised institutions.
Why asset managers are particularly attractive targets
Cybercriminals go where the value is. Asset managers oversee substantial assets, maintain close, trust-based relationships with wealthy private clients, and communicate regularly via email and digital platforms. This makes them attractive targets for:
-
Phishing and spear phishing: targeted emails tailored to a specific person or organisation
-
Business Email Compromise (BEC): attackers pose as executives or partners and demand transfers or the disclosure of data
-
Social engineering: calls in which someone poses as IT support, a bank employee or an authority
-
Ransomware: encryption of all data combined with a ransom demand
The FINMA Guidance 03/2024 states that supply chain attacks have accounted for more than half of reported cyberattacks since 2020. No single institution is therefore responsible only for itself, but also for the security posture of its service providers.
The reporting obligation and what it means in the event of cyber incidents
If a significant cyber incident occurs, the following applies: under Art. 29 para. 2 FINMASA and FINMA Guidance 05/2020, supervised institutions are required to report serious cyber incidents to FINMA. Not every cyber incident automatically triggers a reporting obligation; what matters is the severity and the concrete impact. Cyberattacks classified as «medium», «high» or «severe» must be reported.
-
Initial report: within 24 hours to the responsible FINMA client advisor
-
Full report: within 72 hours via FINMA's EHP platform
-
For «severe» attacks, the 24-hour deadline also applies outside office hours
Anyone who, at such a moment, still does not know which system is affected, which data has been compromised, and who is responsible internally will not meet these deadlines. Missing or late reports are themselves findings relevant to audits.

Technical measures alone are not enough
Many companies invest in firewalls, endpoint protection, spam filters and encryption. That is correct and important. But these measures have one critical weakness: they do not protect against an employee clicking on a malicious link.
FINMA Guidance 03/2024 states this explicitly: «In order for protective measures to be effective, it is essential that employees at all levels of the hierarchy are regularly informed about and trained on cyber risks, know and understand the most common methods of attack such as phishing and know who to contact within the company if they spot any signs of a cyber attack.»
FINMA formulates this clearly as a supervisory expectation of supervised institutions.
What makes for good awareness training
Security awareness training is not a one-off onboarding video that employees watch once a year. Effective training works differently:
Simulated phishing campaigns: Employees regularly receive simulated phishing emails modelled on real attacks. Anyone who clicks the link is redirected straight to a learning page — no blame, but an immediate learning opportunity. Click rates show measurably where training is needed.
Industry-specific content: An awareness programme for asset managers should present scenarios that occur in everyday work: phishing emails appearing to come from custodian banks, fake document approval requests, phone calls in which someone poses as IT support.
Documented delivery: FINMA expects training and its delivery to be documented — this is a point that audit organisations explicitly check. From a regulatory perspective, an awareness programme without evidence carries little weight.
Regular updates: AI-generated phishing emails are now barely distinguishable from genuine emails in terms of language. Awareness programmes must be continually updated to remain effective.
What Dinotronic can do for you
At Dinotronic, we offer security awareness training as a fixed component of our Managed Security Services for FINMA-regulated asset managers and family offices. This includes simulated phishing campaigns, industry-specific training content, regular reports on training progress and complete documentation for audit purposes.
As a Microsoft partner with ISO 27001:2022 certification and more than 30 years of experience in managed services, we do not view cybersecurity as an isolated topic. We see it as an integral part of robust ICT governance. Technical protective layers and a trained team complement each other; both are necessary.
Because in the end, the most important security measure is not the most expensive tool. It is the person who knows what to do when they receive a suspicious email.
Would you like to know how well prepared your employees are for phishing attacks? We would be happy to run a simulated phishing campaign as a starting point.
Download tip: ICT checklist for asset managers
Developed from practical experience with FINMA-regulated asset managers and family offices: our checklist provides a concise overview of the key ICT requirements and helps identify gaps in governance, security and documentation.
FINMA clearly frames the regular information and training of employees as a supervisory expectation of supervised institutions. In addition, audit organisations explicitly check for documented training delivery during audits. From a regulatory perspective, an awareness programme without evidence carries little weight. In practice, this means FINMA-supervised asset managers have no way around it.
A one-off refresher video per year is not enough. Effective training is an ongoing process: regular simulated phishing campaigns, industry-specific content and continuous updating of scenarios. The latter matters more than ever, because AI-generated phishing emails are now barely distinguishable from genuine emails in terms of language. A programme that was set up two years ago and has not been adjusted since no longer reflects the current threat landscape.
Nothing serious happens, which is exactly the point. Anyone who clicks the link in a simulation is redirected straight to a learning page: no blame, just an immediate learning opportunity. Click rates also show measurably where training is needed and document progress over time. What matters is a culture that allows employees to report suspicious emails rather than staying silent about incidents out of fear.