Cumplimiento con la FINMA suiza
FINMA Circular 2023/1 requires Swiss banks to manage operational and cyber risk and test their resilience. Learn how ImmuniWeb supports its vulnerability analyses and penetration testing.
Cumplimiento con la FINMA suiza
What Is FINMA's operational-risk circular?
Circular 2023/1 concretizes FINMA's supervisory practice on operational risk, ICT governance, cyber risk, critical-data handling, cross-border services and operational resilience. Operational resilience is the ability to restore critical functions within a defined tolerance after a disruption.
For cyber risk, institutions are expected to identify, protect, detect, respond to and recover from cyber threats - including conducting regular vulnerability analyses, penetration tests and cyber exercises - and to report cyberattacks to FINMA under Guidance 05/2020.
See how ImmuniWeb supports FINMA's vulnerability analyses and penetration testing - for the banking applications that matter. Request a demo· or run a free Community Edition test.
Who Must Comply with FINMA?
La Circular 2023/1 se aplica a:
- Swiss banks and securities firms supervised by FINMA.
- Grupos financieros y conglomerados dentro del ámbito de supervisión de la FINMA.
- Other institutions to a proportionate extent, based on size, complexity and risk profile.
The web, mobile and API applications these institutions run fall within the circular's cyber expectations.
Key FINMA Requirements for Application Security
Within cyber risk management, several expectations drive application-security work:
- • Vulnerability analyses: conduct regular analyses to identify vulnerabilities in ICT systems and applications.
- • Penetration testing: perform regular penetration tests; larger institutions are expected to use threat-led testing (comparable to TIBER/TLPT).
- • Proteger y responder: proteger la confidencialidad, la integridad y la disponibilidad de los datos críticos y las TIC, y responder a las vulnerabilidades identificadas.
FINMA Cyber Requirements in Depth
Vulnerability Analyses and Penetration Testing
FINMA expects institutions to carry out regular vulnerability analyses and penetration tests of their ICT systems and applications, and to remediate the issues found. Supervisory reviews have flagged testing that is too narrow - so coverage of the relevant web, mobile and API applications matters, with threat-led testing for larger institutions.
Cyber Risk Protection and Incident Reporting
Institutions must protect critical data and ICT and respond to vulnerabilities, and must report cyberattacks to FINMA - a 24-hour early warning and a 72-hour detailed report under Guidance 05/2020. Reducing incident likelihood through regular testing supports both.
Riesgos comunes en aplicaciones web y móviles a abordar
The application vulnerabilities FINMA expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Fallos criptográficos — cifrado débil o ausente que expone datos confidenciales.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — controles de seguridad ausentes por diseño, no solo por errores.
- Security Misconfiguration — default, incomplete or unsafe configuration.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Fallos de identificación y autenticación: gestión débil de inicios de sesión, sesiones o credenciales.
- Fallos en la integridad del software y de los datos: actualizaciones no confiables, pipelines CI/CD inseguros.
- Fallos en el registro y monitoreo de seguridad: ataques que pasan desapercibidos.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support FINMA Circular 2023/1 with ImmuniWeb
- Map ICT assets. . Inventory internet-facing banking apps and APIs with ImmuniWeb Discovery.
- Run vulnerability analyses with Neuron scanning.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Support threat-led testing with expert-led manual engagements for larger institutions.
- Remediar y volver a probar con informes accionables y cero falsos positivos.
- Test continuously with Continuous in CI/CD.
How ImmuniWeb Helps You Achieve FINMA Compliance
ImmuniWeb supports FINMA's vulnerability-analysis and penetration-testing expectations with evidence ready for supervisory review.
| Requisito | Lo que requiere | Productos ImmuniWeb |
|---|---|---|
| Pruebas de penetración | Pruebas de penetración periódicas y basadas en amenazas. | On-Demand, MobileSuite |
| Vulnerability analyses | Regular vulnerability analyses and remediation. | Neuron, Discovery |
| Desarrollo seguro | Embed testing across the life cycle. | Continuous |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing (including support for threat-led engagements); Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface - producing evidence for FINMA supervision.
FINMA vs International Frameworks
Si ya trabaja con estándares internacionales, las mismas pruebas de ImmuniWeb apoyan todos ellos:
| Framework | Perspectiva de la seguridad de aplicaciones | Cómo mapea ImmuniWeb |
|---|---|---|
| FINMA Circular 2023/1 | Análisis de vulnerabilidades + pruebas de penetración | Pruebas de penetración web y móvil, escaneo, ASM y soporte basado en amenazas |
| EU DORA | Resilience testing (financial sector) | Las mismas pruebas cubren ambos |
| Swiss FADP | Data security (Article 8) | Las mismas pruebas cubren ambos |
| ISO/IEC 27001 | Controles técnicos del Anexo A | Pruebas como evidencia de controles |
Pruebas de penetración frente a escaneo de seguridad
Both are needed. El escaneo automatizado (DAST) proporciona una cobertura amplia y frecuente, siendo ideal para las pruebas continuas en CI/CD; las pruebas de penetración manuales detectan vulnerabilidades de lógica de negocio y complejas que los escáneres pasan por alto, y ofrecen la profundidad que esperan los auditores y reguladores. Combina el escaneo continuo con pruebas de penetración manuales periódicas, y vuelve a probar tras cambios significativos.
Lista de verificación de cumplimiento (Application Security)
- Inventory of internet-facing banking apps and APIs
- Regular vulnerability analyses performed
- Penetration testing performed (threat-led for larger institutions)
- Critical data and ICT protected; vulnerabilities remediated
- Los hallazgos se remedian y se revalidan; se conserva la evidencia.
- Flujo de trabajo de notificación de ciberataques preparado (24 h / 72 h)
- Operational-resilience testing for critical functions
Why FINMA Compliance Matters
FINMA supervises Swiss financial institutions and expects demonstrable cyber risk management, including regular vulnerability analyses and penetration testing of critical systems, with a strict 24-hour / 72-hour cyberattack reporting regime. Supervisory reviews have specifically flagged testing that is too narrow.
Because web, mobile and API applications are a primary attack surface for banks, demonstrable testing is one of the most direct ways to meet FINMA's cyber expectations and support operational resilience.