In close to half of all cyberattacks reported by FINMA-supervised institutions in 2025, the initial target was not the institution itself – it was a service provider or outsourcing partner. That finding, presented at FINMA's annual media conference last month and published in the FINMA Annual Report 2025, should recalibrate how financial services firms in Geneva think about cybersecurity investment. The perimeter has moved. Protecting your own infrastructure, while leaving your vendor relationships unexamined, is no longer a defensible posture.
The data is set out in the FINMA Annual Report 2025. The report draws on mandatory incident reports submitted by supervised institutions under the reporting obligations FINMA places on banks, insurers, and other regulated entities. It is the most authoritative picture available of the cyber threat landscape as it specifically affects Switzerland's regulated financial sector.
How FINMA collects this data
FINMA requires supervised institutions to report cyberattacks that have a material impact on their operations, data, or client assets. These reports are confidential and aggregated by FINMA for supervisory analysis. The "nearly half" figure for supply chain targets is derived from FINMA's analysis of those mandatory submissions across the 2025 reporting year.
This is distinct from the NCSC's voluntary and mandatory incident reporting, which covers a broader population. FINMA's data covers only regulated financial sector entities, making it a more specific signal for firms operating in that space.
What the supply chain finding means structurally
A firm can invest heavily in its own security architecture – endpoint detection, access controls, staff training, next-generation firewall – and still be compromised through a vendor operating with weaker standards. The attack surface extends to every third party with access to your systems, data, or network.
For firms that outsource IT infrastructure, managed services, or cloud hosting, this finding has direct implications. The security posture of the provider is not a background consideration. It is a frontline risk variable, and FINMA is treating it as one.
The regulatory framework
FINMA's approach to outsourcing risk is set out in FINMA Circular 2023/1 – Operational risks and resilience (banks). It requires supervised institutions to assess, monitor, and document the risk presented by third-party relationships on an ongoing basis. Contractual provisions are necessary but not sufficient. The circular requires active monitoring, not just documentation at the point of contract.
The annual report finding adds empirical weight to an expectation that was already in force. Institutions that have treated third-party risk as a documentation exercise rather than an active programme are now facing evidence that the risk is real and that it is materialising.
How to assess your IT provider
The relevant distinctions between providers include: where data is hosted and under what legal jurisdiction, what security certifications are held, how incidents are logged and reported, and what controls the provider applies to its own supply chain. For firms in Geneva under FINMA supervision, the documentation of the provider selection decision – the due diligence, the risk assessment, the ongoing monitoring – is what FINMA will examine if a supply chain incident occurs.
Questions to ask your IT provider
- Where is our data hosted, and under what legal jurisdiction?
- What security certifications do you hold (ISO 27001:2022, SOC 2 Type II)?
- How are security incidents logged, escalated and reported to us?
- What controls do you apply to your own subcontractors and vendors?
- What is your mean time to detect and respond to a breach?
- How does your contractual framework support our FINMA outsourcing documentation obligations?
References
FINMA Annual Report 2025: https://www.finma.ch/en/documentation/finma-publications/annual-reports--and-financial-statements/
FINMA circulars – operational risks and resilience: https://www.finma.ch/en/documentation/finma-circulars/
FINMA Supervisory Priorities 2025: https://www.finma.ch/en/documentation/finma-publications/annual-reports--and-financial-statements/supervisory-priorities/
