To ensure the best browsing experience, please enable JavaScript in your web browser. Without it, many website features are inaccessible.


Total Tests:
485,773,462
737,046
130,956

Swiss FINMA Compliance

FINMA Circular 2023/1 requires Swiss banks to manage operational and cyber risk and test their resilience.
Learn how ImmuniWeb supports its vulnerability analyses and penetration testing.

Read Time: 8 min. Updated: July 8, 2025
Swiss FINMA Circular 2023/1 Compliance
Please fill in the fields highlighted in red below

Talk to a Specialist about
Swiss FINMA Compliance

  • Start your free trial of ImmuniWeb products
  • Receive personalized product pricing
  • Talk to our technical experts
Gartner Cool Vendor
SC Media
IDC Innovator
*
*
Private and ConfidentialYour data will stay private and confidential

Swiss FINMA Compliance

What Is FINMA's operational-risk circular?

Circular 2023/1 concretizes FINMA's supervisory practice on operational risk, ICT governance, cyber risk, critical-data handling, cross-border services and operational resilience. Operational resilience is the ability to restore critical functions within a defined tolerance after a disruption.

For cyber risk, institutions are expected to identify, protect, detect, respond to and recover from cyber threats - including conducting regular vulnerability analyses, penetration tests and cyber exercises - and to report cyberattacks to FINMA under Guidance 05/2020.

See how ImmuniWeb supports FINMA's vulnerability analyses and penetration testing - for the banking applications that matter. Request a demo· or run a free Community Edition test.

Who Must Comply with FINMA?

Circular 2023/1 applies to:

  • Swiss banks and securities firms supervised by FINMA.
  • Financial groups and conglomerates within scope of FINMA supervision.
  • Other institutions to a proportionate extent, based on size, complexity and risk profile.

The web, mobile and API applications these institutions run fall within the circular's cyber expectations.

Key FINMA Requirements for Application Security

Within cyber risk management, several expectations drive application-security work:

  • • Vulnerability analyses: conduct regular analyses to identify vulnerabilities in ICT systems and applications.
  • • Penetration testing: perform regular penetration tests; larger institutions are expected to use threat-led testing (comparable to TIBER/TLPT).
  • • Protect & respond: protect the confidentiality, integrity and availability of critical data and ICT, and respond to identified vulnerabilities.

FINMA Cyber Requirements in Depth

Vulnerability Analyses and Penetration Testing

FINMA expects institutions to carry out regular vulnerability analyses and penetration tests of their ICT systems and applications, and to remediate the issues found. Supervisory reviews have flagged testing that is too narrow - so coverage of the relevant web, mobile and API applications matters, with threat-led testing for larger institutions.

Cyber Risk Protection and Incident Reporting

Institutions must protect critical data and ICT and respond to vulnerabilities, and must report cyberattacks to FINMA - a 24-hour early warning and a 72-hour detailed report under Guidance 05/2020. Reducing incident likelihood through regular testing supports both.

Common Web & Mobile Application Risks to Address

The application vulnerabilities FINMA expects you to find map closely to the OWASP Top 10:

  • Broken Access Control — users reaching data or actions they should not.
  • Cryptographic Failures — weak or missing encryption exposing sensitive data.
  • Injection — SQL, command or other injection via unvalidated input.
  • Insecure Design — missing security controls by design, not just by bug.
  • Security Misconfiguration — default, incomplete or unsafe configuration.
  • Vulnerable & Outdated Components — unpatched libraries and frameworks.
  • Identification & Authentication Failures — weak login, session or credential handling.
  • Software & Data Integrity Failures —untrusted updates, insecure CI/CD pipelines.
  • Security Logging & Monitoring Failures — attacks going undetected.
  • Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.

For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.

How to Support FINMA Circular 2023/1 with ImmuniWeb

  1. Map ICT assets. . Inventory internet-facing banking apps and APIs with ImmuniWeb Discovery.
  2. Run vulnerability analyses with Neuron scanning.
  3. Penetration test web and mobile applications with On-Demand and MobileSuite.
  4. Support threat-led testing with expert-led manual engagements for larger institutions.
  5. Remediate and retest with actionable, zero-false-positive reports.
  6. Test continuously with Continuous in CI/CD.

How ImmuniWeb Helps You Achieve FINMA Compliance

ImmuniWeb supports FINMA's vulnerability-analysis and penetration-testing expectations with evidence ready for supervisory review.

Requirement What it requires ImmuniWeb products
Penetration testing Regular and threat-led penetration testing. On-Demand, MobileSuite
Vulnerability analyses Regular vulnerability analyses and remediation. Neuron, Discovery
Secure development Embed testing across the life cycle. Continuous

ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing (including support for threat-led engagements); Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface - producing evidence for FINMA supervision.

FINMA vs International Frameworks

If you already work to international standards, the same ImmuniWeb testing supports all of them:

Framework Application-security angle How ImmuniWeb maps
FINMA Circular 2023/1 Vulnerability analyses + penetration testing Web/mobile pentest, scanning, ASM, threat-led support
EU DORA Resilience testing (financial sector) Same testing supports both
Swiss FADP Data security (Article 8) Same testing supports both
ISO/IEC 27001 Annex A technical controls Testing as control evidence

Penetration Testing vs Security Scanning

Both are needed. Automated scanning (DAST) gives broad, frequent coverage and is ideal for continuous testing in CI/CD; manual penetration testing finds business-logic and complex vulnerabilities that scanners miss and produces the depth auditors and regulators expect. Combine continuous scanning with periodic manual penetration testing, and re-test after significant changes.

Compliance Checklist (Application Security)

  • Inventory of internet-facing banking apps and APIs
  • Regular vulnerability analyses performed
  • Penetration testing performed (threat-led for larger institutions)
  • Critical data and ICT protected; vulnerabilities remediated
  • Findings remediated and re-tested; evidence retained
  • Cyberattack reporting workflow ready (24h / 72h)
  • Operational-resilience testing for critical functions

Why FINMA Compliance Matters

FINMA supervises Swiss financial institutions and expects demonstrable cyber risk management, including regular vulnerability analyses and penetration testing of critical systems, with a strict 24-hour / 72-hour cyberattack reporting regime. Supervisory reviews have specifically flagged testing that is too narrow.

Because web, mobile and API applications are a primary attack surface for banks, demonstrable testing is one of the most direct ways to meet FINMA's cyber expectations and support operational resilience.

Frequently Asked Questions

  • Q
    What is FINMA Circular 2023/1?
    A
    FINMA's circular 'Operational risks and resilience - banks', in force since 1 January 2024, setting operational-risk, cyber and resilience expectations for Swiss financial institutions.
  • Q
    Who must comply with FINMA Circular 2023/1?
    A
    Swiss banks and securities firms, with proportionate expectations extending to other institutions based on size, complexity and risk.
  • Q
    What does FINMA expect for cyber testing?
    A
    Regular vulnerability analyses and penetration tests, with threat-led testing (comparable to TIBER/TLPT) for larger institutions.
  • Q
    What are FINMA's cyberattack reporting deadlines?
    A
    An early warning within 24 hours and a detailed report within 72 hours, under FINMA Guidance 05/2020.
  • Q
    How does ImmuniWeb help with FINMA compliance?
    A
    By providing vulnerability analyses and web and mobile penetration testing (including support for threat-led engagements) with evidence for supervisory review.
  • Q
    Does FINMA apply to non-banks?
    A
    The circular targets banks and securities firms, but many expectations apply proportionately to other supervised institutions.
Please fill in the fields highlighted in red below

Talk to a Specialist about
Swiss FINMA Compliance

  • Start your free trial of ImmuniWeb products
  • Receive personalized product pricing
  • Talk to our technical experts
Gartner Cool Vendor
SC Media
IDC Innovator
*
*
Private and ConfidentialYour data will stay private and confidential
Talk to an Expert