IT security and compliance in the financial sector - Why financial institutions should modernize their infrastructure

FINMA is drawing attention to the key risks associated with artificial intelligence, including operational and model risks, data-related risks, cyberattacks, and legal and reputational exposure. Swiss supervision has significantly increased its focus on the digital operational resilience of financial institutions.

Cyber risks can no longer be framed as a purely technical issue managed by IT teams. They represent a potential vulnerability for the entire organization, with potentially severe business consequences.

This is why FINMA Circular 23/1, “Operational Risks and Resilience – Banks,” which came into force in 2024, sets updated requirements for managing cyber risks, with particular emphasis on governance in handling cyber threats.

Reports submitted to FINMA regarding successful or partially successful cyberattacks have risen by 30% compared to the previous year. Attack methods continue to evolve: supervised institutions across all categories have reported a growing number of cyber incidents, including AI-powered attacks, Business Email Compromise, and various forms of cyber fraud, such as CEO impersonation.

This environment makes it even more strategic to choose local partners with data centers in Switzerland that ensure data sovereignty and compliance by design.

Many financial institutions in Ticino - especially small to mid-sized ones - still operate on aging on-premises infrastructures that exhibit multiple vulnerabilities, including inadequate processes for identifying and promptly remediating software vulnerabilities and gaps in configuration management.

This is not only a security issue but also an efficiency challenge. Hidden costs include hardware maintenance, dedicated office space, continuous support, the need for specialized technical personnel (increasingly scarce in the local market), and limited ability to scale resources quickly as operational needs change.

For all financial operators under FINMA supervision—banks, wealth managers, and asset managers—migrating to Private Cloud solutions provides the most effective answer to challenges of security, compliance, and efficiency. A Private Cloud offers several advantages compared to the Public Cloud:

• Guaranteed data localization in Switzerland, a crucial requirement to meet regulatory demands for digital sovereignty. Data remains in certified Swiss data centers, fulfilling prudential supervision criteria.
• Full customization and control, as each institution can tailor its environment to its specific needs, maintaining oversight of security, performance, and governance without the constraints of standardized public cloud solutions.
• Consolidation and resource optimization, with virtualization eliminating the waste typical of oversized environments, dynamically allocating resources based on real needs and drastically reducing operational costs.

Security in the financial sector requires a multilayered approach where each component communicates in real time with the others. Deploying integrated enterprise-grade security systems creates a secure environment that includes:

• Next-generation perimeter firewalls with deep packet inspection and built-in threat intelligence.
• Advanced communication protection with dynamic antispam and attachment sandboxing.
• Endpoint Detection and Response (EDR) for unified endpoint management. Every device—laptop, smartphone, tablet, workstation—is a potential attack vector, and advanced endpoint systems continuously assess each device based on multiple factors.
• 24/7 SOC-as-a-Service, giving financial institutions continuous monitoring, forensic analysis, alert triage, and immediate incident response. Outsourcing this critical function to a specialized local partner ensures top-tier expertise at sustainable, service-based costs.

This approach is not just theory, it is established practice for us at Tinext Cloud. For Azimut Switzerland, we supported a full IT transformation over two years: from an on-premises environment to a modern Private Cloud ecosystem with integrated Fortinet security, a 24/7 SOC, and centralized access management for external providers.

We also implemented a CIO-as-a-Service model, offering ongoing consulting support, ICT strategic planning, technology governance, FINMA audit and compliance documentation, and direct interface with supervisory authorities—all without the cost of a full-time internal executive.

The results are concrete: reduced operating costs, the complete elimination of physical servers from office premises, enhanced resilience with guaranteed service continuity, full regulatory compliance, and centralized IT governance through a single local technology partner. Read the full case study here.