Skip to content
Desk
Michael FreulerJul 13, 2026 8:00:02 AM7 min read

Awareness training in wealth management

Awareness training in wealth management
6:34
Key takeaways

Technical safeguards such as firewalls and spam filters do not protect against an employee clicking on a malicious link. Asset managers are attractive targets for phishing, business email compromise, social engineering and ransomware due to the assets they manage and their sensitive client relationships. FINMA explicitly identifies cyber risks in FINMA Guidance 03/2024 and requires regular, documented awareness training as a regulatory requirement. Effective training includes simulated phishing campaigns, sector-specific content and comprehensive documentation for audit purposes. Serious cyber incidents must be reported to FINMA (Art. 29 paragraph 2 FINMAG, FINMA Guidance 05/2020): an initial report within 24 hours, followed by a full report within 72 hours. The most important preventive measure is a well-trained workforce. 

Imagine the following scenario: an employee at an asset management firm receives an email that appears to come from a custodian bank. The sender looks familiar, the logo is correct, and the content sounds plausible. It concerns an ‘urgent update to login details’ – a link is attached. The employee clicks on it.

What follows is a classic phishing attack. Login details are stolen. Without effective multi-factor authentication, an attacker may, under certain circumstances, gain access to customer files, email correspondence and internal systems. Whether such an incident must be reported to FINMA depends on its severity and the specific consequences.

 

This scenario is not fictional. It is one of the most common attack methods, which FINMA explicitly identifies in its annual Risk Monitor and in FINMA Guidance 03/2024 as a significant risk for supervised institutions.

Why asset managers are particularly attractive targets

Cybercriminals go where the value is. Asset managers oversee substantial assets, maintain close, trust-based relationships with wealthy private clients, and communicate regularly via email and digital platforms. This makes them attractive targets for:

  • Phishing and spear phishing: targeted emails tailored to a specific person or organisation

  • Business Email Compromise (BEC): attackers pose as executives or partners and demand transfers or the disclosure of data

  • Social engineering: calls in which someone poses as IT support, a bank employee or an authority

  • Ransomware: encryption of all data combined with a ransom demand

The FINMA Guidance 03/2024 states that supply chain attacks have accounted for more than half of reported cyberattacks since 2020. No single institution is therefore responsible only for itself, but also for the security posture of its service providers.

The reporting obligation and what it means in the event of cyber incidents

If a significant cyber incident occurs, the following applies: under Art. 29 para. 2 FINMASA and FINMA Guidance 05/2020, supervised institutions are required to report serious cyber incidents to FINMA. Not every cyber incident automatically triggers a reporting obligation; what matters is the severity and the concrete impact. Cyberattacks classified as «medium», «high» or «severe» must be reported.

  • Initial report: within 24 hours to the responsible FINMA client advisor

  • Full report: within 72 hours via FINMA's EHP platform

  • For «severe» attacks, the 24-hour deadline also applies outside office hours

Anyone who, at such a moment, still does not know which system is affected, which data has been compromised, and who is responsible internally will not meet these deadlines. Missing or late reports are themselves findings relevant to audits.

Infographic with the mandatory FINMA reporting timelines for cyber security incidents

Technical measures alone are not enough

Many companies invest in firewalls, endpoint protection, spam filters and encryption. That is correct and important. But these measures have one critical weakness: they do not protect against an employee clicking on a malicious link.

FINMA Guidance 03/2024 states this explicitly: «In order for protective measures to be effective, it is essential that employees at all levels of the hierarchy are regularly informed about and trained on cyber risks, know and understand the most common methods of attack such as phishing and know who to contact within the company if they spot any signs of a cyber attack.»

FINMA formulates this clearly as a supervisory expectation of supervised institutions. 

What makes for good awareness training

Security awareness training is not a one-off onboarding video that employees watch once a year. Effective training works differently:

Simulated phishing campaigns: Employees regularly receive simulated phishing emails modelled on real attacks. Anyone who clicks the link is redirected straight to a learning page — no blame, but an immediate learning opportunity. Click rates show measurably where training is needed.

Industry-specific content: An awareness programme for asset managers should present scenarios that occur in everyday work: phishing emails appearing to come from custodian banks, fake document approval requests, phone calls in which someone poses as IT support.

Documented delivery: FINMA expects training and its delivery to be documented — this is a point that audit organisations explicitly check. From a regulatory perspective, an awareness programme without evidence carries little weight.

Regular updates: AI-generated phishing emails are now barely distinguishable from genuine emails in terms of language. Awareness programmes must be continually updated to remain effective.

What Dinotronic can do for you

At Dinotronic, we offer security awareness training as a fixed component of our Managed Security Services for FINMA-regulated asset managers and family offices. This includes simulated phishing campaigns, industry-specific training content, regular reports on training progress and complete documentation for audit purposes.

As a Microsoft partner with ISO 27001:2022 certification and more than 30 years of experience in managed services, we do not view cybersecurity as an isolated topic. We see it as an integral part of robust ICT governance. Technical protective layers and a trained team complement each other; both are necessary.

Because in the end, the most important security measure is not the most expensive tool. It is the person who knows what to do when they receive a suspicious email.

Would you like to know how well prepared your employees are for phishing attacks? We would be happy to run a simulated phishing campaign as a starting point.

Download tip: ICT checklist for asset managers

Developed from practical experience with FINMA-regulated asset managers and family offices: our checklist provides a concise overview of the key ICT requirements and helps identify gaps in governance, security and documentation.

FAQ on Cybersecurity-Awareness-Trainings

Is awareness training actually mandatory for asset managers?

FINMA clearly frames the regular information and training of employees as a supervisory expectation of supervised institutions. In addition, audit organisations explicitly check for documented training delivery during audits. From a regulatory perspective, an awareness programme without evidence carries little weight. In practice, this means FINMA-supervised asset managers have no way around it.

Why are technical measures alone not enough when it comes to cyber security? Technical measures such as firewalls and endpoint protection are appropriate and important, but they have a crucial weakness: they do not protect against an employee clicking on a malicious link or disclosing login details over the phone. In Guidance 03/2024, FINMA explicitly states that protective measures are only effective if staff at all levels of the organisation are regularly informed about and trained in cyber risks. Technology and trained staff complement one another; both are necessary.
How often should cybersecurity awareness training be conducted?

A one-off refresher video per year is not enough. Effective training is an ongoing process: regular simulated phishing campaigns, industry-specific content and continuous updating of scenarios. The latter matters more than ever, because AI-generated phishing emails are now barely distinguishable from genuine emails in terms of language. A programme that was set up two years ago and has not been adjusted since no longer reflects the current threat landscape.

What happens if someone clicks on a simulated phishing email?

Nothing serious happens, which is exactly the point. Anyone who clicks the link in a simulation is redirected straight to a learning page: no blame, just an immediate learning opportunity. Click rates also show measurably where training is needed and document progress over time. What matters is a culture that allows employees to report suspicious emails rather than staying silent about incidents out of fear.

Does every phishing incident have to be reported to FINMA? No, not every cyber incident automatically triggers a reporting obligation. What matters is the severity and the concrete impact: cyberattacks classified as «medium», «high» or «severe» must be reported under Art. 29 para. 2 FINMASA and FINMA Guidance 05/2020. The following then applies: initial report within 24 hours to the responsible FINMA client advisor, full report within 72 hours via the EHP platform. For «severe» attacks, the 24-hour deadline also applies outside office hours.
Do asset managers face an increased risk of cyber incidents? Cybercriminals go where the value is: asset managers oversee substantial assets, maintain trust-based relationships with wealthy private clients, and communicate intensively via email and digital platforms. This makes them vulnerable to spear phishing, Business Email Compromise, social engineering and ransomware. Added to this is the supply chain risk: according to FINMA Guidance 03/2024, supply chain attacks have accounted for more than half of reported cyberattacks since 2020. Every institution therefore also bears responsibility for the security posture of its service providers.
Michael Freuler

Michael Freuler

Head of Solution Consulting and Marketing

Abonnieren Sie unsere monatlichen Newsletter

Unsere Newsletter geben interessante Einblicke in neue Trends.

Sie haben Fragen? Kommen Sie gerne direkt auf uns zu! Wir freuen uns von Ihnen zu hören

Kommen Sie gerne direkt auf uns zu!