FINMA has released two newly updated audit work programmes to strengthen oversight of cyber and data risks in Swiss financial institutions.
The “Cyber Risk Management” audit programme (version dated 3 June 2025) and the “Critical Data Risk Management” programme (version dated 15 March 2025) are both applicable starting from the 2025 audit period.
These programmes set formal expectations for how banks and asset managers are audited on cyber security and critical data protection. They reflect FINMA’s latest regulatory guidance and expand the focus areas that auditors and firms’ boards must address going forward.
New Focal Points in Cyber Risk Management Audits
The updated Cyber Risk Management audit programme introduces a more technical and comprehensive set of control points.
It emphasises governance and alignment with enterprise risk management: institutions must have clear internal policies and strategies for cyber risk that align with overall IT strategy and risk policy.
FINMA has raised board accountability for cyber risk – the board of directors is expected to regularly assess and set the firm’s risk tolerance for cyber threats in line with business objectives.
Senior management should maintain an approved cyber risk strategy and provide regular risk development reports up to the board, ensuring cyber risk is treated as a strategic issue.
The programme also highlights comprehensive asset inventory and protection measures. Firms are required to maintain an up-to-date inventory of all critical ICT assets and third-party interfaces, with controls to ensure its completeness and accuracy. New audit steps focus on verifying preventive measures like data loss prevention (DLP) for sensitive or critical data, robust network and infrastructure security controls (e.g. network segmentation, firewalls, endpoint detection), and a risk-based approach to timely patch management.
There is a stronger expectation for continuous monitoring and logging of security events: auditors will check that all critical systems and applications feed into centralised log monitoring and that anomalies are promptly detected and evaluated.
Crucially, the updated cyber audit programme reinforces incident response and resilience. FINMA expects firms to have well-defined response playbooks for cyber attacks, with clear escalation and mitigation procedures.
Auditors must now verify that organisations test their recovery processes – for example through regular tabletop exercises – to ensure systems can be quickly restored after a cyber incident. These additions reflect lessons from recent FINMA guidance on cyber incident handling and scenario-based cyber risk exercises.
Notably, if critical IT operations are outsourced, the institution remains accountable: FINMA directs auditors to examine how firms define, safeguard, and monitor outsourced services to uphold cyber controls.
New Focal Points in Critical Data Risk Management Audits
The Critical Data Risk Management audit programme is a new addition, underscoring FINMA’s heightened focus on data governance and protection. This programme formalises how “critical data” – information whose confidentiality, integrity or availability is vital – should be managed within the risk framework.
Integration into enterprise risk management is a key theme: FINMA now requires that critical data risks (such as data loss, theft, poor data quality or unauthorised manipulation) be treated as a distinct risk category within the firm’s operational risk management, with proper identification, assessment, mitigation, monitoring, and reporting processes. In practice, this means critical data risk must be addressed comprehensively alongside other major risks, rather than overlooked as an IT issue.
The new audit work programme also elevates governance expectations for data risk. Boards of directors must explicitly approve and regularly re-evaluate the institution’s risk appetite for critical data risks (at least annually).
Executive management is expected to implement a documented strategy for critical data risk management, which should include an institution-specific definition of what constitutes “critical data,” methods for systematic data identification and classification, and measures to ensure confidentiality, integrity, and availability of such data.
Auditors will assess whether roles and responsibilities for critical data (e.g. data owners, data stewards) are clearly defined and assigned across the organisation, and whether staff (including contractors) receive adequate training and awareness on handling critical data.
Inventory and monitoring of critical data are newly emphasised. Firms must maintain a detailed inventory of all critical data, documenting attributes such as where the data is stored (including cloud locations), relevant software systems, data owners, classification of criticality, and dependencies or interfaces with third parties. Controls should be in place to ensure the inventory’s accuracy and completeness over time. In addition, the programme sets expectations for strict access management: access to critical data (both by employees and third parties) should follow the principles of least privilege and be governed by robust Identity and Access Management processes.
Auditors will test not only the design but also the effectiveness of key controls protecting critical data, including encryption, monitoring of data usage, and safeguards for privileged user accounts.
The critical data audit programme also covers incident handling and third-party risk. Firms must have processes to manage and report incidents that significantly affect critical data’s confidentiality, integrity or availability, aligning with FINMA’s incident reporting requirements.
When it comes to third-party service providers that may handle a firm’s critical data, FINMA now expects rigorous oversight: the audit will review the due diligence process for selecting such providers and whether contracts include appropriate data protection clauses.
Moreover, institutions should continuously monitor and periodically audit external service providers to ensure they adhere to the required data handling standards. This comprehensive approach makes it clear that outsourcing data management does not outsource the accountability – the onus remains on the firm to safeguard critical data throughout its lifecycle.
Key Points for the C-Suite
- Effective 2025: Both new audit programmes take effect from the 2025 audit year, meaning audits will now check against these updated criteria. Firms should prepare now to meet the strengthened requirements.
- Board & Governance Front and Center: FINMA expects active board oversight of cyber and data risks. Boards must set and regularly review risk appetite for cyber threats and critical data loss, while management implements approved strategies and reports on risk developments. Governance frameworks should clearly assign roles and responsibilities for managing these risks.
- Integration into ERM: Cyber and critical data risks must be embedded in enterprise risk management. Critical data risk is now treated as its own risk category within operational risk, requiring comprehensive identification, assessment, and monitoring like any other major risk. Cyber risk management practices should align with overall risk policies and business strategy.
- Asset & Data Inventories: Firms are required to maintain up-to-date inventories of critical IT assets (hardware, software, interfaces) and critical data assets (including where data is stored, its owners, and its criticality). Auditors will verify that inventory controls are in place to keep these records complete and accurate.
- Enhanced Controls & Monitoring: Expect scrutiny of technical controls – e.g. data loss prevention, network segmentation, anti-malware, patch management – and whether they are risk-based and effective. Continuous monitoring is a focal point: all critical systems should log to centralised monitoring with analysis to promptly detect anomalies or breaches. Strict access management for sensitive data (least privilege, IAM systems, privileged user monitoring) will be reviewed.
- Incident Response & Resilience: Audits will now check that incident response plans for cyber attacks are robust and tested. Firms should have up-to-date playbooks for cyber incidents, perform regular tabletop exercises to test response and recovery capabilities, and ensure fast reporting of incidents to FINMA. Recovery processes for critical systems and data must be documented and validated through drills.
- Third-Party Risk Management: Both programmes introduce stricter oversight of outsourcing. If critical services or data handling are delegated to third parties, the firm must have performed thorough due diligence and contractually enforced data protection standards. Ongoing monitoring and periodic audits of vendors (especially those abroad or with access to critical data) are expected to ensure they meet the institution’s security requirements. The accountability for protecting data and cyber resilience ultimately remains with the regulated firm.
Next Steps: C-suite executives should review their cyber security and data governance frameworks against these new FINMA standards. Early internal audits or gap assessments can help identify areas needing improvement before the next official audit.
For a roadmap on achieving compliance with FINMA’s cyber and data risk expectations, visit Penta’s guide: Your Roadmap to FINMA Cyber Risk Compliance. This resource outlines practical steps to align your organisation with the new requirements and ensure robust protection of critical assets moving forward.
