From FINMA audit to implementation: cyber resilience is a management task

FINMA has further clarified its expectations regarding the handling of cyber risks in its Supervisory Communication 03/2024 "Findings from cyber risk supervisory activities". The communication is based on the results of supervisory reviews carried out, the checkpoints provided and specifies how institutions should effectively implement requirements from FINMA Circular 2023/1 for controls, scenario-based cyber exercises and detection and response capabilities.

In addition to this, FINMA has sharpened the understanding of operational resilience on a broad level with Supervisory Communication 05/2025. However, this does not exclusively address cyber security, but the overall resilience of institutions to operational disruptions.

This article therefore deliberately focuses on the cyber-related clarifications of Supervisory Communication 03/2024 and their significance for the implementation of audit findings in accordance with FINMA Circular 2023/1.

This is precisely where InfoGuard comes in: Our experts support financial institutions in classifying audit reports and audit findings in a structured manner and translating the resulting findings into effective, sustainable measures along governance, technology and operations in a targeted manner.

The five most important requirements for successful FINMA implementation

FINMA requires structured management of cyber risks - from strategic management by the Board of Directors through to operational implementation.

Audits show that many financial institutions have frameworks and directives, but that the formal approval and monitoring of the cyber strategy is incomplete or missing. Reporting to management, the definition of key risk indicators (KRIs) or the clear delineation of tasks, competencies and responsibilities (AKV) are also often inadequate.

Cyber risks are often only managed as part of IT risk or operational risk, without specific tolerance values or quantifiable indicators. The inventory of ICT assets is often incomplete - particularly with regard to internal and external interfaces, decentralized applications and critical data sets and data flows.

The following five aspects are the focus for compliance with FINMA requirements:

1. Developing and supporting the formal adoption of the dedicated cyber strategy, including in accordance with FINMA Circular 2023/1.
2. Development of a cyber risk framework with clearly defined risk categories, tolerances and KRIs
3. Asset and data inventory incl. classification of critical information and data flows.
4. Integration of international standards, in particular NIST CSF with the profile of the Cyber Risk Institute CRI, into control and reporting processes.
5. Support in the definition of AKVs and governance structures (including reporting).

The five key measures: Systematically identify and eliminate vulnerabilities

Effective vulnerability management forms the foundation of resilient cyber resilience.

However, audits clearly show that many institutions have neither formal vulnerability management nor clearly defined processes and multi-year plans for penetration tests or vulnerability analyses.

In practice, many institutions limit tests to individual sub-areas, carry them out irregularly and fail to systematically follow up and rectify identified vulnerabilities.

However, a central risk often remains untested: Scenario-based cyber exercises often leave out critical service providers and do not focus enough on the real threat situation of the financial institution.

You should tackle these five implementation measures now:

1. Establish a risk-based vulnerability management process
2. Plan and carry out regular penetration tests (internal, external, web, mobile, cloud, red teaming)
3. Get support in prioritizing and tracking findings until they are closed
4. Integration of vulnerability reports into SIEM or GRC systems
5. Conduct cyber exercises and tabletop tests (TTX) to check responsiveness

InfoGuard supports you in implementing these measures with a FINMA gap analysis.

Detection & response: protect sensitive data in 5 steps

The ability to detect and respond to anomalies at an early stage is crucial for the protection of critical data.

Audit reports show that institutions often do not have a complete baseline defined for their ICT systems. The coverage of SIEM use cases is also often not aligned with institution-specific risks. Playbooks and response processes are rarely reviewed or tested.

The following five steps will increase your detection & response capability:

1. Define baselines for all critical systems
2. Review and optimization of SIEM use cases based on your individual threat situation
3. Establishment or expansion of the Security Operations Center (SOC) with 24/7 monitoring
4. Use case engineering to develop specific detection rules for your risks
5. Establishment and regular validation of playbooks and incident response processes

An effective detection & response strategy combines technical capabilities with a clear understanding of regulatory requirements, creating the basis for FINMA-compliant implementation.

Recovery on the test bench: 4 resilient measures

Many institutions rely on existing BCM structures without supplementing them with cyber-specific recovery plans.

Response and recovery scenarios are often not sufficiently tested and service providers are not monitored enough. In an emergency, there is a risk that the resumption of business operations will be delayed or uncoordinated.

Four measures will fundamentally strengthen your cyber resilience:

1. develop cyber-specific contingency and recovery plans

2. conducting realistic recovery exercises (including simulations of ransomware scenarios)

3. review and monitoring of provider services (incl. SOC/ISAE reports)

4. support with the integration of cyber resilience into existing BCM frameworks

Only through tested recovery processes, clearly defined responsibilities and the involvement of critical service providers can a financial institution remain capable of acting in an emergency and meet FINMA's expectations for effective cyber resilience.

5 Protection mechanisms for critical data: What FINMA specifically requires

The protection of critical data is at the heart of the security strategy required by FINMA.

However, audit reports show that many institutions do not have access to an adequate data loss prevention (DLP) concept and have unclear authorization processes, a lack of system hardening requirements and no end-to-end patch management. Network security and the implementation of EDR/XDR solutions also often lack the required transparency, consistency and control.

The following five robust and transparent protective measures are key to implementing FINMA requirements in a comprehensible manner:

1. Development and introduction of a DLP framework
2. Establishment of role and authorization concepts with regular reviews
3. Network security assessment, implementation of segmentation, firewalls and NAC
4. Implementation of Endpoint Detection & Response (EDR/XDR) and integration into the SOC
5. Definition of hardening and patch management processes including automation and reporting

An end-to-end security architecture - from endpoint protection to network control - creates transparency, reduces risks and supports institutions in effectively meeting FINMA requirements.

Managing the outsourcing of IT infrastructures in compliance with FINMA

If institutions outsource key IT or security services to external service providers, they still retain full responsibility under supervisory law. Contracts often lack corresponding clauses, monitoring is limited to checking the reports provided by the service providers (such as ISAE-3402 or SOC 2 reports), and service providers only partially fulfill the regulatory requirements.

The following four measures are key to managing outsourcing in compliance with FINMA:

1. Inventory of all outsourcing arrangements, including identification of key or critical service providers
2. Ensure that the service providers meet the regulatory requirements
3. Implementation of regular and efficient monitoring of service providers
4. Adjusting contracts with service providers

Only through this structured management do institutions retain end-to-end regulatory responsibility and ensure that outsourced services meet FINMA requirements.

FINMA Circular 23/1: Implementing cyber resilience effectively

Audit findings are not a step backwards, but a precise reflection of the current level of maturity and a real opportunity. They show where governance, technology and processes need to be sharpened in order to meet FINMA's expectations of effective cyber resilience. The decisive factor here is not the number of findings, but the structured approach to dealing with them - from classification to sustainable implementation in operations.

Financial institutions are faced with recurring issues, including in the areas of

1. Outsourcing management (FINMA 23/1 Compliance)
2. Preparation for FINMA audits
3. Realization / implementation of FINMA audit findings
4. Business continuity planning (BCP) for outsourced services
5. Assessing threat scenarios for outsourced services
6. Adapt incident response plans
7. Check data flows to service providers

For many institutions, the regulatory audit has already been carried out and the findings are known. The challenge now lies in implementation.

InfoGuard supports you in translating audit findings into prioritized, realistically implementable measures and anchoring these operationally - from architecture and process design to integration into ongoing SOC operations.

Cyber resilience is not created in the audit, but in everyday life.

Our cyber security specialists personally share exclusive articles with valuable insights from their practical experience. Don't want to miss any of our blog posts? Then simply subscribe to our blog updates! We look forward to hearing from you.

Caption: Image generated with AI