With the rise of outsourcing models and increasingly sophisticated cyberattacks, protecting sensitive data has become a matter of survival for financial institutions. Unsurprisingly, regulatory requirements are also tightening: With FINMA Circular 2023/01 and the recent Guidance Notice 03/2024, the Swiss Financial Market Supervisory Authority (FINMA) has made it clear how banks must protect critical data. The latest supervisory notice highlights one point in particular: when it comes to Data Loss Prevention (DLP), many financial institutions still have urgent work to do.
DLP refers to a combination of technical and organizational measures to detect, monitor, and prevent data leaks—whether caused by misconduct, negligence, or targeted attacks. Effective DLP solutions identify critical data, monitor its movement across networks, endpoints, and cloud environments, and integrate with existing security and audit systems.
Regulatory Requirements – and Where the Gaps Are
In recent years, FINMA has significantly sharpened its expectations around sensitive data protection. The requirements are binding, apply to all supervised institutions, and repeatedly expose substantial shortcomings in practice:
- FINMA Circulars 05/2020 and 2023/01: Protection of critical data is mandatory
- Circular 05/2020 established the obligation to report successful or partially successful cyberattacks of material relevance within 24 hours.
- Circular 2023/01 further requires financial institutions to identify critical data, define risk tolerances, and implement protection measures, including access controls, employee training, and outsourcing standards.
- FINMA Guidance 02/2024: DLP measures fall short
Key findings from FINMA paint a clear picutre:
- Narrow DLP focus: Many institutions only monitor and protect client identification data and payment information (e.g., credit card numbers), leaving other critical categories—such as trade secrets, personal data, and intellectual property—uncovered.
- Lack of transparency with service providers: Institutions often do not know whether third parties process critical data. Effective monitoring and controls are rarely in place.
- Weak access and log management: In many cases, it is unclear who actually has access to sensitive data. Critical log files are not consistently analyzed—or only during office hours.
- Insufficient effectiveness testing: DLP measures are seldom evaluated. Core cyber controls are often not embedded in internal control systems (ICS) and reduced to box-ticking exercises.
DLP Failures in Practice: Real-World Cases
The consequences of weak or missing protection are evident in recent incidents involving financial institutions and their providers:
- FEB 2023: A whistleblower leaked details of over 30,000 accounts to an international journalist network, exposing asset information of controversial clients. No cyberattack was involved—just a lack of internal data flow controls.
- AUG 2023: Following a cyberattack on London Capital Group (a Flowbank subsidiary), a file containing personal client data was stolen. Although no misuse has been reported, phishing attempts remain a risk.
- SEP 2024: Zurich-based wealth manager Boreal Capital Management suffered a ransomware attack by the “Play” group. Around 46 GB of client data—including sensitive information on high-risk and politically exposed persons—was leaked on the dark web. The breach originated from a former service provider’s database.
- FEB 2025: The ransomware group “Everest” claimed to have stolen 173 GB of data from ITSS Global, a Geneva-based banking software provider. The stolen files included confidential bank records and contracts from more than 300 institutions worldwide. The breach was traced back to unauthorized use of a non-privileged Microsoft 365 account.
Best Practices: What Financial Institutes Must Do Now
- Data inventory and classification: A robust DLP program starts with knowing exactly which data is critical. This requires structured classification based on criteria such as file type, content, or business area—supported by clear policies and, ideally, automated classification features.
- Holistic protection approach: Effective data protection depends on integrating network-, endpoint-, and cloud-based DLP into a single strategy. This ensures consistent oversight across hybrid IT environments.
- Access and rights management: Role-based access control (RBAC) and the principle of “need-to-know” must be strictly enforced and regularly reviewed—preferably via a central Identity and Access Management (IAM) system.
- Awareness and training: Human error remains one of the biggest risks. Employees should receive regular training not just on technical issues but also on social engineering, phishing, and accidental data leaks.
- Continuous monitoring and incident response: DLP is only effective if regularly tested and monitored. Integration into a Security Information and Event Management (SIEM) system enables real-time detection and ensures swift, documented response through an established incident management process.
What this Means in Practice
For financial institutions, payment providers, and all companies using SWIFT directly or indirectly, it’s time once again to review compliance status. New focus areas such as back-office data flow security and client-connector safeguards must be addressed early. Doing so not only prepares institutions for the next certification but also strengthens long-term cyber resilience. Certification must be completed by the end of 2025—both for SWIFT and SIC participants. Experience shows: the earlier you prepare, the smoother the process will be.
How we support you
As a certified provider (PCI DSS 4.01, ISO 27001:2022) specializing in information security, managed security services, and GRC consulting, we help Swiss banks and other FINMA-regulated institutions implement effective, compliant DLP strategies. Our focus is on practical, integrated solutions spanning the entire security architecture—from endpoint to cloud, from strategy to operations.
Robust DLP is no longer a “nice-to-have”—especially for banks under FINMA’s close supervision. Those who fail to act proactively risk not only sanctions but also the trust of their clients. We are here to help you protect your data effectively—and safeguard your digital future.
Get in touch with us today.
Managed SASE
Managed Infrastructure
Analytics as a Service
Information Security as Service
Security Strategy
Security Architecture
Technology Consulting
GRC
Security Awareness
Cyber Resilience
Network Security
Content Security
Application Security
Cloud Security
Infrastructure Security
OT Security
Endpoint Security
Security Analytics
Team
Working at ensec
Facts and Figures
