Author: Alexia Muanza (swisscybersecurity.net)
Source: Finma warns of technological risks in Swiss financial sector
Publication Date: November 25, 2025
Summary Reading Time: 4 minutes

Executive Summary

The Swiss Financial Market Supervisory Authority (Finma) warns in its 2025 Risk Monitoring report of a dramatic increase in technological risks due to growing cloud dependency and outsourcing of critical functions to external providers. 47 percent of all reported cyber incidents in 2024 can be traced back to external service providers – a systemic risk that threatens the stability of the entire financial center. The concentration on a few tech providers creates single-point-of-failure scenarios, while outdated internal systems and inadequate data quality further increase vulnerability. Action required: Swiss financial institutions must fundamentally strengthen their technological resilience – but current outsourcing practices run diametrically opposed to this requirement.

Critical Key Questions

  • Where does sensible digitalization end – and where does dangerous dependency begin? By outsourcing to a few dominant cloud providers, aren't financial institutions voluntarily creating oligopolistic structures that undermine their own capacity to act and competitiveness in the long term?

  • Who bears responsibility when systemically important infrastructure lies with private tech corporations? Is Finma's regulatory control even still effective when critical banking functions run on servers of US-American or foreign hyperscalers?

  • What innovation opportunities arise for European and Swiss cloud providers? Could the recognized risk concentration pave the way for sovereign, decentralized infrastructure solutions – or will it remain regulatory warnings without structural consequences?

Scenario Analysis: Future Perspectives

Short-term (1 year):
Financial institutions strengthen emergency plans and redundancies, Finma tightens inspections of outsourcing arrangements. Increased audits of third-party providers and higher compliance costs are expected. Critical incidents at individual cloud providers could lead to service outages and loss of trust in the short term.

Medium-term (5 years):
Regulation will likely introduce stricter diversification requirements. Financial institutions could be forced to distribute critical systems across multi-cloud architectures or fall back on European/Swiss providers. Market opportunities for regional cloud providers increase. At the same time, infrastructure fragmentation threatens, which increases complexity and costs.

Long-term (10–20 years):
Possible renationalization or nationalization of critical digital financial infrastructure in response to geopolitical tensions. Alternative scenarios: Either global standardization of security norms through international cooperation or digital balkanization with national island solutions. The question of digital sovereignty becomes a strategic survival issue for Switzerland as a financial center.

Main Summary

a) Core Theme & Context

Finma identifies technological dependencies and external cyber risks in its 2025 Risk Monitoring report as a central threat to the stability of the Swiss financial sector. The rapid shift of critical functions to the cloud and to external IT service providers has created a systemic concentration risk. The warning comes against the backdrop of increasing cyberattacks and several service outages at third-party providers – developments that could shake confidence in the resilience of the financial center.

b) Most Important Facts & Figures

  • 47% of all cyber incidents in 2024 were caused by external providers
  • Banks: Increase in critical cloud functions from 60 (2023) to 83 (2024) (+38%)
  • Insurance companies: Increase from 46 to 50 critical cloud functions (+9%)
  • 8 out of 10 banks outsource the majority of their ICT infrastructure
  • Attack vectors: 37% unauthorized access, 30% DDoS attacks, 14% identity theft
  • Payment systems (including Twint) increasingly targeted by phishing and fraudulent platforms
  • Insurers now also outsource capital management – further risk concentration

c) Stakeholders & Affected Parties

Directly affected:

  • Swiss banks and insurance companies (operationally and reputationally)
  • Finma (regulatory, enforcement pressure)
  • Financial sector customers (data security, service availability)
  • Cloud and IT service providers (liability issues, stricter audits)

Indirectly involved:

  • Swiss economy as a whole (dependent on functioning payment systems)
  • Political decision-makers (question of digital sovereignty and location attractiveness)
  • International regulators (EU DORA regulation, Basel III standards)

d) Opportunities & Risks

Risks:

  • Systemic domino effect: Failure of a major cloud provider could paralyze multiple financial institutions simultaneously
  • Vendor lock-in: Long-term dependency on few technology corporations makes switching difficult and increases pricing power
  • Geopolitical vulnerability: Foreign authorities' access to data, sanctions risks
  • Outdated legacy systems: Complex hybrid architectures create new vulnerabilities
  • Reputational loss: Repeated outages or data leaks endanger trust in Switzerland as a financial center

Opportunities:

  • Market potential for sovereign cloud solutions: Swiss and European providers can strengthen their position
  • Innovation in security technologies: Growing demand for zero-trust architectures, encryption, AI-based anomaly detection
  • Regulatory pioneering role: Switzerland could set standards for secure financial infrastructure
  • Competitive advantage: Institutions that build resilience early gain trust and market share

e) Action Relevance

For financial institutions:

  • Conduct immediate risk analysis of all outsourcing arrangements and cloud dependencies
  • Develop multi-vendor strategies to avoid single points of failure
  • Prioritize modernization of outdated systems – technical debt becomes an existential threat
  • Test incident response plans and prepare communication strategies for failure scenarios

For regulators and policymakers:

  • Introduce stricter due diligence requirements for outsourcing to third parties
  • Examine promotion of European/Swiss cloud infrastructure as a strategic project
  • Intensify international cooperation on cybersecurity standards

Time pressure: Risk concentration is growing faster than regulatory and technical countermeasures can be implemented. The next 12–24 months are crucial for preventive course-setting.

Quality Assurance & Fact-Checking

Facts verified on: November 28, 2025
Primary source: Official Finma Risk Monitor 2025
Figures: All percentages and numbers are from the cited Finma document
⚠️ Limitation: No detailed breakdown available of which specific cloud providers are affected – presumably not publicly communicated for regulatory reasons

Supplementary Research

The following current sources were considered to contextualize developments:

  1. EU Digital Operational Resilience Act (DORA) – Stricter requirements for financial institutions since January 2025, also affects Swiss providers with EU business
  2. BACS (Federal Office for Cybersecurity) – Cybersecurity Report 2024: Confirms rising trend in supply chain attacks also outside the financial sector
  3. Cisco Survey November 2025: 99% of Swiss SMEs (including financial service providers) classified as easy targets for cybercriminals – structural weaknesses confirmed

Contrary/supplementary perspectives:

  • Cloud industry: Arguments for increased security through professional hyperscalers vs. in-house solutions
  • Cost efficiency: Outsourcing reduces operational costs – question of risk assessment remains politically controversial

Source Directory

Primary source:
Die Finma warnt vor technologischen Risiken im Schweizer Finanzsektor – swisscybersecurity.net, November 25, 2025

Supplementary sources:

  1. Finma – Risk Monitoring 2025 (official publication)
  2. EU Digital Operational Resilience Act (DORA) – Regulatory framework
  3. BACS Cybersecurity Report 2024 – National threat analysis
  4. Cisco Survey: 99% of Swiss SMEs at risk – swisscybersecurity.net, November 27, 2025

Verification status: ✅ Facts verified on November 28, 2025

Journalistic Compass

Power structures critically examined: Oligopoly formation among cloud providers and dependency relationships clearly identified
Freedom & responsibility: Tension between efficiency gains and loss of sovereignty addressed
Transparency: Information gaps (missing provider names) explicitly marked
Food for thought instead of repetition: Scenarios and key questions promote independent judgment formation

File information:
Version: 1.0 | Created: November 28, 2025 | License: CC-BY 4.0 | Contact: [email protected]