Swiss FINMA Compliance
FINMA Circular 2023/1 requires Swiss banks to manage operational and cyber risk and test their resilience.
Learn how ImmuniWeb supports its vulnerability analyses and penetration testing.
Swiss FINMA Compliance
What Is FINMA's operational-risk circular?
Circular 2023/1 concretizes FINMA's supervisory practice on operational risk, ICT governance, cyber risk, critical-data handling, cross-border services and operational resilience. Operational resilience is the ability to restore critical functions within a defined tolerance after a disruption.
For cyber risk, institutions are expected to identify, protect, detect, respond to and recover from cyber threats - including conducting regular vulnerability analyses, penetration tests and cyber exercises - and to report cyberattacks to FINMA under Guidance 05/2020.
See how ImmuniWeb supports FINMA's vulnerability analyses and penetration testing - for the banking applications that matter. Request a demo· or run a free Community Edition test.
Who Must Comply with FINMA?
Circular 2023/1 applies to:
- Swiss banks and securities firms supervised by FINMA.
- Financial groups and conglomerates within scope of FINMA supervision.
- Other institutions to a proportionate extent, based on size, complexity and risk profile.
The web, mobile and API applications these institutions run fall within the circular's cyber expectations.
Key FINMA Requirements for Application Security
Within cyber risk management, several expectations drive application-security work:
- • Vulnerability analyses: conduct regular analyses to identify vulnerabilities in ICT systems and applications.
- • Penetration testing: perform regular penetration tests; larger institutions are expected to use threat-led testing (comparable to TIBER/TLPT).
- • Protect & respond: protect the confidentiality, integrity and availability of critical data and ICT, and respond to identified vulnerabilities.
FINMA Cyber Requirements in Depth
Vulnerability Analyses and Penetration Testing
FINMA expects institutions to carry out regular vulnerability analyses and penetration tests of their ICT systems and applications, and to remediate the issues found. Supervisory reviews have flagged testing that is too narrow - so coverage of the relevant web, mobile and API applications matters, with threat-led testing for larger institutions.
Cyber Risk Protection and Incident Reporting
Institutions must protect critical data and ICT and respond to vulnerabilities, and must report cyberattacks to FINMA - a 24-hour early warning and a 72-hour detailed report under Guidance 05/2020. Reducing incident likelihood through regular testing supports both.
Common Web & Mobile Application Risks to Address
The application vulnerabilities FINMA expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — missing security controls by design, not just by bug.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures —untrusted updates, insecure CI/CD pipelines.
- Security Logging & Monitoring Failures — attacks going undetected.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support FINMA Circular 2023/1 with ImmuniWeb
- Map ICT assets. . Inventory internet-facing banking apps and APIs with ImmuniWeb Discovery.
- Run vulnerability analyses with Neuron scanning.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Support threat-led testing with expert-led manual engagements for larger institutions.
- Remediate and retest with actionable, zero-false-positive reports.
- Test continuously with Continuous in CI/CD.
How ImmuniWeb Helps You Achieve FINMA Compliance
ImmuniWeb supports FINMA's vulnerability-analysis and penetration-testing expectations with evidence ready for supervisory review.
| Requirement | What it requires | ImmuniWeb products |
|---|---|---|
| Penetration testing | Regular and threat-led penetration testing. | On-Demand, MobileSuite |
| Vulnerability analyses | Regular vulnerability analyses and remediation. | Neuron, Discovery |
| Secure development | Embed testing across the life cycle. | Continuous |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing (including support for threat-led engagements); Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface - producing evidence for FINMA supervision.
FINMA vs International Frameworks
If you already work to international standards, the same ImmuniWeb testing supports all of them:
| Framework | Application-security angle | How ImmuniWeb maps |
|---|---|---|
| FINMA Circular 2023/1 | Vulnerability analyses + penetration testing | Web/mobile pentest, scanning, ASM, threat-led support |
| EU DORA | Resilience testing (financial sector) | Same testing supports both |
| Swiss FADP | Data security (Article 8) | Same testing supports both |
| ISO/IEC 27001 | Annex A technical controls | Testing as control evidence |
Penetration Testing vs Security Scanning
Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.
Compliance Checklist (Application Security)
- Inventory of internet-facing banking apps and APIs
- Regular vulnerability analyses performed
- Penetration testing performed (threat-led for larger institutions)
- Critical data and ICT protected; vulnerabilities remediated
- Findings remediated and re-tested; evidence retained
- Cyberattack reporting workflow ready (24h / 72h)
- Operational-resilience testing for critical functions
Why FINMA Compliance Matters
FINMA supervises Swiss financial institutions and expects demonstrable cyber risk management, including regular vulnerability analyses and penetration testing of critical systems, with a strict 24-hour / 72-hour cyberattack reporting regime. Supervisory reviews have specifically flagged testing that is too narrow.
Because web, mobile and API applications are a primary attack surface for banks, demonstrable testing is one of the most direct ways to meet FINMA's cyber expectations and support operational resilience.