FINMA regulations on cyber security

Between 632 and 2,490 reports per week were received by the Federal Office for Cybersecurity (BACS) in 2024. The majority of these were fraud attempts, but phishing and spam are also frequently reported. In the first week of 2025, a further 695 reports were received by the BACS. (Source: NCSC)

These figures show that cybercrime is real and poses a serious threat to businesses. In order to protect regulated companies in particular, such as financial institutions, from such threats, to protect data and to maintain the stability of the financial market, the Swiss Financial Market Supervisory Authority (FINMA) sets out regulations on the principles that must apply to ensure data protection and cyber security. These FINMA regulations are of central importance for institutions in Switzerland, as they result in measures that they must take.

FINMA regulations as an opportunity for companies

The FINMA regulations may initially appear to be a burden. However, they also open up new opportunities. For example, companies that adapt their IT infrastructure to FINMA's requirements can kill several birds with one stone. They can:

• raise their security standards,
• ensure their compliance
• and modernize their IT infrastructure at the same time.

This not only reduces the risk of cyberattacks, but can also have a positive impact on the company's productivity and agility.

Nowadays, cyber security is no longer just a technical challenge, but also a decisive factor for business success. After all, the impact of a successful cyberattack is immense:

• Data loss
• Reputational damage
• High financial costs

The aim of the FINMA regulations is to counteract such risks with appropriate security requirements and to help companies protect their systems.

The challenge for companies is that their IT landscape must be both secure and scalable at the same time. However, the use of modern technologies and professional managed services, such as a managed digital workplace, offers an opportunity to establish a high-performance infrastructure.

These are FINMA's requirements for the management of ICT risks

The latest FINMA circular dated January 1, 2024 is aimed at banks and financial institutions. It provides for significant adjustments to ensure the operational resilience of banks and the management of operational cyber and ICT risks.

ICT stands for information and communication technology and refers to all technologies, processes and systems that are used to store, use, process and transmit information. This includes the entire IT infrastructure of a financial institution, i.e. hardware, software, networks and data management.

The circulars are binding for the institutions concerned and the requirements must then be implemented in the operational processes and IT systems. FINMA's specific requirements for the management of cyber and ICT risks relate to these areas:

ICT strategy and governance

Institutions need a clear ICT strategy that fits in with the institution's general business strategy. This involves defining technological goals and priorities and ensuring that the IT infrastructure supports the business requirements. A governance structure is also required. It defines responsibilities, decision-making processes and control mechanisms for managing and controlling ICT risks. This allows risks to be systematically identified, assessed and continuously monitored.

Change management

Changes to ICT systems can become a risk. A formalized process and controls are needed to ensure that all changes to an IT infrastructure are systematically reviewed and tested. This is the only way to minimize potential risks from incorrectly implemented changes. This ensures that IT systems are available at all times.

ICT operations

Regular maintenance and monitoring of systems is essential to ensure that all components function reliably. By implementing proactive monitoring mechanisms, problems can be detected and rectified at an early stage. This can prevent operational capability from being jeopardized. After all, secure and stable ICT operations are the basis for maintaining the desired quality of services and minimizing operational risks.

Incident management

Despite all preventative measures, unexpected incidents can occur. In order to be able to react quickly, companies must implement processes that make it possible to identify, analyze and resolve IT incidents. Effective incident management is crucial to minimize disruptions and ensure that IT services are restored in the shortest possible time. To do this, companies need a well-structured response strategy.

Obligation to report

With regard to reporting cyber attacks, they must be reported informally within 24 hours of discovery and in detail within 72 hours. If services are outsourced to service providers, the reporting obligation remains with the contracting institution.

Further FINMA regulations for the cyber security of companies

The risk of cyber attacks increases with increasing digitalization and networking. FINMA requires institutions to implement measures to identify, assess and combat cyber risks. Sensitive data and systems need to remain protected:

• Regular threat analyses that uncover vulnerabilities
• Development of defense strategies to detect and ward off attacks at an early stage

An important aspect of risk management is the protection of critical data. This data must first be defined and then protected in terms of its integrity and availability as well as against misuse and unauthorized access.

Operational resilience: why is it so important?

Business continuity management is needed to ensure that companies can continue operations in the event of disruptions. This requires plans to be developed and implemented, including emergency plans that are tailored to the IT infrastructure and any cybersecurity incidents.

After all, if a company is to be successful in the long term, it must be able to provide critical services even in the event of operational disruptions such as cyber attacks or system failures. This is called operational resilience. This resilience is necessary for the financial system to remain stable. Essential services for customers must remain available even in crisis situations. To ensure this, FINMA places high demands on security precautions, incident management and business continuity management.

If services are outsourced, institutions must ensure that their contracts contain clear cyber security requirements. The service providers must also regularly check whether these are being adhered to. They must also prove that they can respond to cyber attacks with the necessary measures.

FINMA believes it is important for companies to see cyber risks not just as a technology problem, but as a threat in its own right. Appropriate cyber risk management is therefore essential.

Focus on protecting data and infrastructure

Companies have the task of training their employees so that they develop an awareness of the risks of cybercrime. However, employees are not the only ones who need to contribute to the protection of IT infrastructure and data. It is also important to secure data and regularly test backups so that data can be restored quickly after an attack.

How exactly to respond to cyber attacks and what measures need to be taken must be set out in response plans that are complete and must also be tested. Depending on the system relevance, institutions must carry out theoretical and practical exercises in order to be prepared for an emergency.

Risk assessment: Risk assessment as the cornerstone for your IT security

A risk assessment (risk evaluation/analysis) lays the foundation for greater IT security. This systematic process identifies, evaluates and prioritizes potential risks within an organization. We are happy to support you in analyzing the risk in your company:

• We first analyze your systems, processes and data and then evaluate potential threats.
• We identify possible risks such as data loss, system failures or cyberattacks and analyze what risk an attack could have for you - financially, legally and in terms of your reputation.
• We then compare the resulting risk matrix with our managed services to present you with the solution that best suits you.

Comply with FINMA regulations and strengthen cyber security with a Managed Digital Workplace

The challenge for companies is to ensure cyber security, data protection and regulatory compliance at the same time. This is possible with the right IT service, for example with a Managed Digital Workplace from Dinotronic. We are a digital workplace provider and have been on the market for over 30 years.

Our Managed Digital Workplace offers you a secure and fully digital working environment that promotes modern collaboration. The basis of the Digital Workplace is Microsoft Office 365, which we customize for you so that it fits the individual needs of your company. All your data is stored on servers in Switzerland. We are ISO 27001 certified, which is an important basis for compliance and trust. You receive from us:

• An e-mail inbox with signature for your internal and external communication.
• Access to a self-service portal that allows you to manage employees or customers yourself and assign roles. This gives you the advantage of being able to activate new users quickly and independently of opening hours. You can also manage software packages, mail distribution groups and change authorization structures.
• 24/7 support, thanks to our locations in two time zones in Switzerland and Vietnam. This enables us to quickly detect and analyze attacks and ensure the stable operation of your IT. We have a defined process for what happens in the event of security alerts, which enables us to comply with the reporting obligation stipulated by FINMA.
• A managed, audit-proof backup that is not only stored in a separate cloud, but is also tested by us on a regular basis. This means you are quickly up and running again after a cyberattack and your operational resilience is guaranteed in accordance with FINMA requirements.

We also carry out regular threat analyses and have defense strategies against cyberattacks. For example, we operate active tenant management (a tenant is an isolated area in a cloud environment) to prevent security gaps or compliance breaches from occurring in the first place. Thanks to this active tenant management, your cloud tenant is always up to date, functions optimally and meets company requirements.

We also use conditional access policies, which control access to applications, systems or data and apply specifically to the handling of digital certificates. They ensure that communication between users and systems is encrypted and that the identity of those involved is verified. They play an important role in protecting against cyberattacks such as phishing or man-in-the-middle attacks.

With these and other services, we comply with FINMA regulations regarding the management of cyber risks.

Additional services thanks to our Managed Digital Workplace Giga package for FINMA-regulated companies

With our Managed Digital Workplace Giga Package, which is aimed specifically at companies that work with sensitive data and are FINMA-regulated, you can meet the requirements.

In addition to the basics already listed, which all our packages have, the Giga package offers you additional services:

• A password vault with single sign-on, which allows you to encrypt, securely store and centrally manage all access data.
• Audit-proof journaling of your e-mail traffic.
• Compliant sealing of documents in accordance with GeBüV (Business Records Ordinance), with which electronic documents can be stored in a tamper-proof and traceable manner and remain valid in the long term.
• Sensitivity labeling: This refers to the integrated encryption and protection of sensitive data that we offer you at document level. Whether it's watermarks in documents, assigning authorizations or controlling what can be done with documents - with this feature of our Managed Digital Workplace Giga package, you can tick another box when it comes to compliance with FINMA regulations. Thanks to sensitivity labeling, your documents remain protected even in the event of an attack or data theft and cannot be opened or used without the correct authorizations. This means your documents always remain in the right hands.
• Professional printer queue management.
• A digital, legally compliant signature.
• The "Data Boundary CH / EU / UK / US" option, which allows services to be obtained exclusively from suppliers based exclusively within the borders of Switzerland, the EU, the UK or the USA. Data is then processed and handled in Switzerland in compliance with the DPA.

In addition, we rely on the zero trust principle. This means that every request sent to a system is critically scrutinized and checked and no application, device, user or network standard is considered trustworthy. Access is only granted if the request is deemed trustworthy. This allows us to quickly identify unauthorized access and act accordingly. We also take care of the correct contracts, such as the Microsoft Customer Agreement. In this way, we support you in fulfilling the contractual requirements vis-à-vis Microsoft.

Conclusion

A Managed Digital Workplace from Dinotronic offers security, efficiency and compliance. It enables you to meet the requirements of FINMA and work in a modern way at the same time. This can have an impact on your competitiveness and contribute to greater employee satisfaction, while your IT security is in good hands with us.

Let us advise you on our FINMA-compliant Managed Digital Workplace and take your IT infrastructure to the next level.