FINMA
Switzerland's financial market supervisory authority (Eidgenössische Finanzmarktaufsicht), which sets binding cybersecurity and data protection requirements for banks, insurers, and financial intermediaries.
FINMA (Eidgenössische Finanzmarktaufsicht) is Switzerland’s independent financial market regulator. It supervises banks, insurance companies, financial intermediaries, and fintech firms. Its cybersecurity requirements go beyond the nDSG, reflecting the elevated risk profile of financial data.
Key Cybersecurity Requirements
FINMA’s operational risk circulars and guidelines mandate:
- Multi-factor authentication: 2FA is required for access to sensitive systems, not just recommended. Hardware tokens are expected for privileged accounts.
- Encryption: Data must be encrypted in transit and at rest. Key management must follow documented procedures.
- Network segmentation: Critical systems must be isolated from general office networks, enforced by firewalls and access controls.
- Third-party risk management: Outsourcing to cloud providers or IT vendors doesn’t transfer regulatory responsibility. FINMA expects due diligence and contractual security clauses.
- Incident management: Significant cyber incidents must be reported to FINMA, in addition to the BACS 24-hour requirement for critical infrastructure operators.
- Business continuity: Documented disaster recovery and backup procedures with regular testing.
FINMA vs. nDSG
| Aspect | nDSG | FINMA |
|---|---|---|
| Scope | All organizations processing personal data in Switzerland | Financial institutions regulated by FINMA |
| Authority | EDÖB (Federal Data Protection Commissioner) | FINMA |
| Focus | Personal data protection | Operational resilience and financial stability |
| Penalties | Fines up to CHF 250,000 (against responsible individuals) | Enforcement measures, license revocation, industry bans |
| Overlap | Breach notification to EDÖB | Incident reporting to FINMA + BACS if critical infrastructure |
Both apply simultaneously to financial institutions. An incident that exposes client data triggers obligations under both frameworks.
Who Is Affected
Direct FINMA supervision covers:
- Banks and securities dealers
- Insurance companies
- Fund management companies
- Fintech licensees (sandbox and full license)
- Financial intermediaries (SRO-supervised)
Indirect impact extends to technology vendors, cloud providers, and consultants who serve financial institutions, as FINMA expects its regulated entities to ensure their supply chain meets equivalent security standards.
Practical Implications
For Swiss financial services firms:
- Security tooling (endpoint protection, VPN, password managers) is not optional but a regulatory baseline
- Annual security assessments or penetration tests are expected
- Employee security awareness training must be documented
- Cloud adoption requires FINMA-compliant contracts and data residency considerations (particularly relevant for data stored outside Switzerland)