⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-44643 (CVSS 10) — Angular Expressions provides expressions for the Angular.JS web framework as … 📰 New article: Exchange OWA CVE-2026-42897: Swiss On-Prem Alert 2026 ⚠ NCSC: Week 23: Job seekers in the crosshairs – phishing, scams and malware in the application… 🔴 CVE: CVE-2026-44643 (CVSS 10) — Angular Expressions provides expressions for the Angular.JS web framework as … 📰 New article: Exchange OWA CVE-2026-42897: Swiss On-Prem Alert 2026
← Back to articles
Analysis 24 May 2026 9 min read

Security ROI Metrics for Swiss Board Reporting 2026

Swiss security leaders face mounting pressure to justify investment in financial terms — the metrics that satisfy FINMA, the board, and the audit function are not the same.

MS

Marco Scarito

24 May 2026

9 min read

The question Swiss boards are increasingly asking their CISOs is not "are we secure?" but "how much security is enough, and how do we know?" FINMA Circular 2023/1 on operational risks and resilience requires supervised institutions to maintain a risk appetite framework that covers cyber risk alongside operational and financial risk — a requirement that pushes cybersecurity out of the technical domain and into the boardroom as a quantified risk management discipline. The ISACA State of Cybersecurity 2026 report and Gartner's Security and Risk Summit findings confirm that Swiss security leaders are under mounting pressure to produce metrics boards can act on, not dashboards they cannot interpret. The challenge is that the metrics security teams track internally — vulnerability counts, mean time to detect, patch cycle completion rates — do not translate directly into the financial and strategic language boards use to make resource allocation decisions. This article provides a framework for bridging that gap within the FINMA governance context.

What FINMA Circular 2023/1 Actually Requires from the Board

FINMA Circular 2023/1 on operational risks and resilience establishes that the board of directors of a supervised institution is responsible for approving the institution's risk appetite for operational risk — a category that explicitly includes cyber risk. This is not a compliance formality. The circular requires that the risk appetite be expressed in measurable terms, that actual risk exposure be monitored against it, and that the board receive regular reporting on whether the institution is operating within its defined tolerance. An institution that has a board-approved risk appetite statement covering cyber risk but cannot demonstrate measurement and monitoring against it is not compliant with the circular — it has fulfilled the documentation requirement while missing the governance substance.

The practical implication is that Swiss CISOs at banks and insurers need to produce board reporting that connects cybersecurity activity to the institution's stated risk tolerance. A CISO presenting a slide deck of vulnerability counts and patch percentages to a board that has approved a risk appetite statement expressed in terms of expected loss, recovery time objectives, and maximum tolerable downtime is presenting in the wrong register. The board has no mechanism to determine whether the technical posture described is consistent with the risk appetite it approved. FINMA supervisory assessments identify this disconnect as a governance gap — not a technical gap — and it appears consistently in supervisory feedback to Swiss financial institutions.

The Measurement Framework: Three Layers of Metrics

Effective board-level security reporting for Swiss institutions requires three distinct but connected layers of measurement: operational metrics that security teams track, programme metrics that translate operational performance into risk indicators, and financial metrics that express residual risk in terms boards can compare to risk appetite and capital allocation.

Operational metrics are what most security teams already produce: mean time to patch critical vulnerabilities, phishing simulation click rates, percentage of endpoints with current endpoint detection, open vulnerability counts by severity. These are essential for security operations but not board-reportable in isolation. They describe activity, not risk posture.

Programme metrics translate operational data into risk indicators boards can interpret. The vulnerability exposure window — the average number of days a critical vulnerability exists in production before it is patched — is a more board-useful version of "we patched 94% of critical CVEs this quarter." It expresses a risk duration rather than a completion rate, and it can be compared to the institution's stated SLA and to industry benchmarks. Similarly, phishing click rate trends expressed as percentage change over rolling quarters communicate programme effectiveness rather than raw performance. Programme metrics should be selected to reflect the institution's specific risk profile: a bank with extensive third-party payment infrastructure needs third-party patching cycle metrics in its board reporting; a bank with extensive remote access should report MFA coverage rates as a programme metric tied to its stated access control risk appetite.

Financial metrics are where board-level reporting becomes genuinely actionable. The FAIR (Factor Analysis of Information Risk) model provides a structured methodology for expressing cyber risk as expected loss — combining the probability of threat events with the magnitude of their impact in financial terms. A board that sees "expected annual loss from ransomware to core banking systems: CHF 8.2M, within our risk tolerance of CHF 15M" has information it can act on: whether to accept the residual risk, invest in additional controls to reduce expected loss, or transfer risk through cyber insurance. This is the conversation FINMA's risk appetite framework is designed to enable.

Practical Challenges in Swiss Institutions

Swiss financial institutions face specific structural challenges in building financial risk metrics for cybersecurity. Loss data is scarce and often non-public: Swiss banking secrecy traditions and reputational concerns mean that cyber incident loss data is not shared in the way that operational risk loss data is compiled through industry consortia in other jurisdictions. FINMA's mandatory incident reporting requirement under Circular 2023/1 is building a supervisory dataset, but it is not yet accessible to institutions for benchmarking purposes. Security leaders building FAIR models for board reporting must work primarily from external loss databases — the Advisen Cyber Loss Data or similar commercial datasets — calibrated to Swiss institution characteristics.

Board risk appetite tolerance is frequently expressed at a level of abstraction that makes cyber risk comparison difficult. An institution with a stated zero appetite for reputational risk and a moderate appetite for financial loss needs to be able to place a cyber incident that causes a CHF 2M operational loss but results in NCSC public disclosure on the correct point of the risk tolerance map. CISOs who have mapped their cyber risk metrics to the institution's existing risk appetite taxonomy — using the same risk categories, severity scales, and escalation thresholds — are consistently more effective at securing investment and board attention than those who maintain a parallel risk language.

◆ Key Takeaway

Board-level cybersecurity reporting fails not because boards do not care about cyber risk but because security teams report in operational metrics that boards cannot map to risk appetite, investment decisions, or regulatory obligations. FINMA Circular 2023/1 requires a measurable risk appetite framework — producing metrics boards can actually use to govern cyber risk is a regulatory requirement, not a communication preference.

Connecting Metrics to FINMA Governance Expectations

FINMA supervisors reviewing board-level cyber risk governance look for three specific indicators: that the board has approved and documented a cyber risk appetite expressed in measurable terms; that management reports regularly against that appetite using consistent metrics; and that the board demonstrates understanding of the institution's actual risk posture, not just policy compliance. Supervisory interviews with board members that reveal they cannot describe the institution's current vulnerability exposure, its recovery time capability, or its patch cycle performance against peer benchmarks are a governance finding. Swiss CISOs who brief boards quarterly on technical posture but have not structured reporting to address these three questions are building a supervisory gap even when technical security is adequate.

The audit function is the third audience that Swiss security leaders often underweight in their reporting design. Internal audit for Swiss banks and insurers includes independent assurance over the adequacy of the cyber risk management framework — not just the controls, but the governance. Audit findings on inadequate board-level reporting on cyber risk appear in supervisory correspondence. A reporting framework designed jointly with internal audit, and aligned to the institution's risk appetite documentation, addresses the governance layer that pure technical reporting misses.

  • Map your security metrics to the institution's board-approved risk appetite framework — use the same risk categories, tolerance thresholds, and escalation criteria that the board uses for credit and market risk.
  • Replace vulnerability count dashboards in board reporting with programme metrics: vulnerability exposure window (days), patch SLA compliance rate against your stated critical-patch timeline, and phishing click rate trend over rolling quarters.
  • Build at least one FAIR-based expected annual loss estimate for your top two or three cyber threat scenarios (ransomware to core systems, data breach at a material third party, privileged access compromise); present these against the institution's financial risk appetite on an annual basis.
  • Brief your board on three questions it should be able to answer after each reporting cycle: what is our current exposure window for critical vulnerabilities, what is our recovery time capability for our most critical system, and how does our patch cycle performance compare to FINMA supervisory expectations?
  • Engage internal audit in the design of your board reporting framework — audit assurance over the adequacy of board-level cyber risk governance reduces the supervisory gap and creates a documented review cycle for the reporting methodology itself.
  • Track actual patch cycle performance against stated SLA in every board report; a policy stating 7-day critical patching with actual performance of 21 days is a documented contradiction that will surface in a supervisory review — report the gap proactively rather than waiting for it to be identified externally.
  • If your institution does not yet have a documented cyber risk appetite approved by the board, initiate that process as the first step — the absence of a measurable appetite is the foundational governance gap that makes all downstream reporting inadequate by design.

The shift from technical security reporting to board-level risk governance reporting is not primarily a communication challenge. It is a measurement design challenge: identifying which metrics connect security activity to risk posture, and which risk posture metrics connect to the financial and strategic decisions boards are responsible for making. Swiss institutions that make this connection are building the governance infrastructure that FINMA's operational resilience framework requires — and that will be tested in the next supervisory review cycle whether or not a cyber incident has occurred. The institutions that build it before that review are in a materially different position from those that wait for a finding.