Conformité à la FINMA suisse
FINMA Circular 2023/1 requires Swiss banks to manage operational and cyber risk and test their resilience. Learn how ImmuniWeb supports its vulnerability analyses and penetration testing.
Conformité à la FINMA suisse
Qu’est-ce que la circulaire FINMA sur le risque opérationnel?
Circular 2023/1 concretizes FINMA's supervisory practice on operational risk, ICT governance, cyber risk, critical-data handling, cross-border services and operational resilience. Operational resilience is the ability to restore critical functions within a defined tolerance after a disruption.
For cyber risk, institutions are expected to identify, protect, detect, respond to and recover from cyber threats - including conducting regular vulnerability analyses, penetration tests and cyber exercises - and to report cyberattacks to FINMA under Guidance 05/2020.
See how ImmuniWeb supports FINMA's vulnerability analyses and penetration testing - for the banking applications that matter. Request a demo· or run a free Community Edition test.
Who Must Comply with FINMA?
Circular 2023/1 applies to:
- Swiss banks and securities firms supervised by FINMA.
- Financial groups and conglomerates within scope of FINMA supervision.
- Other institutions to a proportionate extent, based on size, complexity and risk profile.
The web, mobile and API applications these institutions run fall within the circular's cyber expectations.
Key FINMA Requirements for Application Security
Within cyber risk management, several expectations drive application-security work:
- • Vulnerability analyses: conduct regular analyses to identify vulnerabilities in ICT systems and applications.
- • Penetration testing: perform regular penetration tests; larger institutions are expected to use threat-led testing (comparable to TIBER/TLPT).
- • Protect & respond: protect the confidentiality, integrity and availability of critical data and ICT, and respond to identified vulnerabilities.
FINMA Cyber Requirements in Depth
Vulnerability Analyses and Penetration Testing
FINMA expects institutions to carry out regular vulnerability analyses and penetration tests of their ICT systems and applications, and to remediate the issues found. Supervisory reviews have flagged testing that is too narrow - so coverage of the relevant web, mobile and API applications matters, with threat-led testing for larger institutions.
Cyber Risk Protection and Incident Reporting
Institutions must protect critical data and ICT and respond to vulnerabilities, and must report cyberattacks to FINMA - a 24-hour early warning and a 72-hour detailed report under Guidance 05/2020. Reducing incident likelihood through regular testing supports both.
Risques courants des applications Web et mobiles à remédier
The application vulnerabilities FINMA expects you to find map closely to the OWASP Top 10:
- Broken Access Control — users reaching data or actions they should not.
- Cryptographic Failures — weak or missing encryption exposing sensitive data.
- Injection — SQL, command or other injection via unvalidated input.
- Insecure Design — contrôles de sécurité manquants par conception, pas seulement à cause d'un bug.
- Mauvaise configuration de sécurité — configuration par défaut, incomplète ou non sécurisée.
- Vulnerable & Outdated Components — unpatched libraries and frameworks.
- Identification & Authentication Failures — weak login, session or credential handling.
- Software & Data Integrity Failures —untrusted updates, insecure CI/CD pipelines.
- Échecs de journalisation et de surveillance de la sécurité — les attaques passent inaperçues.
- Server-Side Request Forgery (SSRF) — the server tricked into making malicious requests.
For mobile apps, the OWASP Mobile Top 10 is the equivalent reference (insecure data storage, insecure communication, weak cryptography, and so on). Reliably finding these issues requires testing the running application, not just a documentation review.
How to Support FINMA Circular 2023/1 with ImmuniWeb
- Map ICT assets. . Inventory internet-facing banking apps and APIs with ImmuniWeb Discovery.
- Run vulnerability analyses with Neuron scanning.
- Penetration test web and mobile applications with On-Demand and MobileSuite.
- Support threat-led testing with expert-led manual engagements for larger institutions.
- Corrigez et retestez avec des rapports exploitables et sans faux positifs.
- Test continuously with Continuous in CI/CD.
How ImmuniWeb Helps You Achieve FINMA Compliance
ImmuniWeb supports FINMA's vulnerability-analysis and penetration-testing expectations with evidence ready for supervisory review.
| Exigence | Ce que cela nécessite | Produits ImmuniWeb |
|---|---|---|
| Penetration testing | Regular and threat-led penetration testing. | On-Demand, MobileSuite |
| Vulnerability analyses | Regular vulnerability analyses and remediation. | Neuron, Discovery |
| Secure development | Embed testing across the life cycle. | Continuous |
ImmuniWeb On-Demand and MobileSuite deliver web and mobile penetration testing (including support for threat-led engagements); Neuron and Neuron Mobile provide automated scanning; Continuous embeds testing into CI/CD; and Discovery maps the attack surface - producing evidence for FINMA supervision.
FINMA vs International Frameworks
Si vous respectez déjà des normes internationales, les mêmes tests ImmuniWeb les couvrent toutes:
| Framework | Perspective sécurité des applications | Comment ImmuniWeb s'aligne |
|---|---|---|
| FINMA Circular 2023/1 | Vulnerability analyses + penetration testing | Web/mobile pentest, scanning, ASM, threat-led support |
| EU DORA | Tests de résilience (secteur financier) | Les mêmes tests couvrent les deux |
| Loi fédérale sur la protection des données (LFDP) | Data security (Article 8) | Les mêmes tests couvrent les deux |
| ISO/IEC 27001 | Annexe A: contrôles techniques | Tests comme preuve de contrôle |
Tests d'intrusion vs scans de sécurité
Les deux sont nécessaires. Le scan automatisé (DAST) offre une couverture large et fréquente et est idéal pour les tests continus dans le CI/CD ; le penetration testing manuel trouve les vulnérabilités de logique métier et complexes que les scanners manquent et produit la profondeur attendue par les auditeurs et les régulateurs. Combinez le scanning continu avec du penetration testing manuel périodique, et re-testez après des changements significatifs.
Liste de contrôle de conformité (Sécurité des applications)
- Inventaire des applications bancaires et des API exposées sur Internet
- Regular vulnerability analyses performed
- Penetration testing performed (threat-led for larger institutions)
- Critical data and ICT protected; vulnerabilities remediated
- Findings remediated and re-tested; evidence retained
- Cyberattack reporting workflow ready (24h / 72h)
- Operational-resilience testing for critical functions
Why FINMA Compliance Matters
FINMA supervises Swiss financial institutions and expects demonstrable cyber risk management, including regular vulnerability analyses and penetration testing of critical systems, with a strict 24-hour / 72-hour cyberattack reporting regime. Supervisory reviews have specifically flagged testing that is too narrow.
Because web, mobile and API applications are a primary attack surface for banks, demonstrable testing is one of the most direct ways to meet FINMA's cyber expectations and support operational resilience.