Why Financial Services Organizations Need Red Teaming

Financial services faces the highest volume of targeted cyberattacks of any sector. IBM’s 2025 Cost of a Data Breach Report puts the average financial sector breach at USD 5.56 million. Red teaming is no longer optional here. TIBER-EU, CBEST, and DORA all mandate or strongly expect adversary simulation, and FINMA’s operational resilience guidance pushes Swiss institutions in the same direction.

The numbers tell a clear story. 84% of financial services organisations now run annual red team assessments, the highest adoption rate of any industry. Yet 92% of those engagements still achieve their primary objective, exposing persistent gaps in even the most mature defensive programmes. High-value data, real-time transaction processing, dense interconnections, and constant regulatory scrutiny make this sector both the most attacked and the most tested.

This guide covers the regulatory landscape, threat scenarios, and practical implementation for banks, insurers, asset managers, and fintech organisations.

What Is the Regulatory Landscape for Red Teaming in Financial Services?

TIBER-EU: The European Framework for Threat-Led Penetration Testing

TIBER-EU (Threat Intelligence-Based Ethical Red Teaming) is the European framework for intelligence-led red team testing of financial institutions. Developed by the European Central Bank and adopted by approximately 20 EU/EEA jurisdictions plus Switzerland, TIBER-EU represents the most complete regulatory approach to adversary simulation globally.

Key characteristics of TIBER-EU:

  • Threat intelligence-led: Engagements begin with a targeted threat intelligence report identifying the most relevant threat actors and their TTPs
  • Realistic scope: Tests cover people, processes, and technology without artificial limitations
  • Live production environments: Testing occurs against actual production systems, not isolated test environments
  • Regulatory oversight: National authorities supervise the testing process and validate results
  • Confidential results: Test results are shared only with the tested entity and its regulators

TIBER-EU statistics:

MetricValue
Participating countries~20 EU/EEA + Switzerland
Financial institutions tested (cumulative)400+
Average engagement duration6-12 months
Average cost per engagementEUR 250,000-500,000
Percentage of SIFIs that have completed testing78%

TIBER-CH: Switzerland’s Implementation

Switzerland adopted the TIBER framework as TIBER-CH, administered through the Swiss Financial Market Supervisory Authority (FINMA) in coordination with the Swiss National Bank. TIBER-CH is mandatory for systemically important financial institutions and strongly recommended for other supervised entities.

TIBER-CH specifics:

  • Aligned with the TIBER-EU framework with Swiss-specific adaptations
  • Mandatory for Category 1 and 2 systemically important institutions
  • Testing must be conducted by TIBER-CH-accredited red team providers
  • Results inform FINMA’s supervisory assessment of operational resilience
  • The SNB coordinates testing of payment system participants

For a full overview of TIBER-CH requirements and accredited testing providers, the FINMA cybersecurity guidance page provides detailed regulatory information.

DORA: Digital Operational Resilience Act

The EU’s Digital Operational Resilience Act (DORA), effective since January 2025, establishes a unified framework for ICT risk management in the financial sector. DORA Article 26 specifically mandates Threat-Led Penetration Testing (TLPT) for significant financial entities.

DORA TLPT requirements:

  • Mandatory for financial entities identified by competent authorities as significant
  • Testing must cover critical or important functions
  • Must be conducted at least every three years
  • Tests must follow TIBER-EU or equivalent national frameworks
  • Internal testers may be used, but an external threat intelligence provider is required
  • Results must be reported to competent authorities
  • A “purple team” phase is mandatory following the red team assessment

DORA coverage:

Entity TypeTLPT RequiredICT Risk Management
Credit institutions (banks)Significant entitiesAll
Insurance/reinsuranceSignificant entitiesAll
Investment firmsSignificant entitiesAll
Payment institutionsSignificant entitiesAll
Crypto-asset service providersSignificant entitiesAll
ICT third-party service providersBy designationCritical providers

CBEST: The UK Framework

While primarily applicable to UK-regulated firms, CBEST has influenced the development of TIBER-EU and remains relevant for Swiss financial institutions with UK operations. CBEST testing is intelligence-led and assesses the cyber resilience of systemically important financial institutions against sophisticated attacks.

FINMA Requirements

FINMA’s supervisory framework for operational resilience, particularly FINMA Circular 2023/1 on Operational Resilience, establishes expectations for Swiss financial institutions that drive red team adoption:

  • Operational resilience testing: Institutions must regularly test their ability to maintain critical functions during severe disruption scenarios
  • Scenario-based testing: FINMA expects scenario-based assessments that go beyond traditional penetration testing
  • Third-party risk: Outsourcing arrangements must include provisions for security testing, including red team assessments
  • Board-level reporting: Cybersecurity risk and testing results must be reported to the board at least annually

What Are the Specific Cyber Threats to Financial Services?

Threat Actor Landscape

Financial institutions face the full spectrum of threat actors, from state-sponsored groups to financially motivated criminals:

State-sponsored groups targeting Swiss financial institutions:

GroupOriginPrimary ObjectiveNotable TTPs
APT29 (Cozy Bear)RussiaEspionage, sanctions intelligenceSophisticated phishing, supply chain compromise
APT41 (Winnti)ChinaFinancial theft, IP theftWeb application exploitation, custom malware
Lazarus GroupNorth KoreaFinancial theft (SWIFT, cryptocurrency)Spear-phishing, watering holes, supply chain
APT34 (OilRig)IranEspionage, destructive capabilityDNS tunneling, credential harvesting

Financially motivated groups:

GroupPrimary MethodAverage Impact
FIN7/Carbanak successorBEC, card fraudUSD 1-50M per campaign
LockBit 4.0RansomwareUSD 500K-5M per incident
Scattered SpiderSocial engineering, SIM swappingUSD 1-10M per incident
Various BEC operatorsWire fraud, invoice manipulationUSD 100K-5M per incident

Attack Scenarios Specific to Financial Services

Red team engagements for financial institutions should simulate the following high-priority scenarios:

1. SWIFT Network Compromise

The SWIFT (Society for Worldwide Interbank Financial Telecommunication) network remains a high-value target following the 2016 Bangladesh Bank heist. Red team scenarios should test:

  • Compromise of SWIFT operator workstations
  • Exploitation of the SWIFT Alliance Lite2 gateway
  • Manipulation of payment messages
  • Integrity of reconciliation and fraud detection systems
  • Effectiveness of SWIFT Customer Security Programme (CSP) controls

2. Trading Floor Compromise

Unauthorized access to trading systems can enable market manipulation, front-running, and direct financial theft:

  • Physical and logical access to trading terminals
  • Exploitation of market data feeds
  • Manipulation of algorithmic trading systems
  • Unauthorized order placement
  • Insider threat simulation

3. Core Banking System Penetration

Core banking platforms process all account transactions and hold customer data:

  • Attack paths from internet-facing systems to core banking
  • Exploitation of middleware and integration layers
  • Database manipulation and transaction fraud
  • Data exfiltration of customer records
  • Persistence and detection evasion

4. Insurance Underwriting and Claims Manipulation

Insurance-specific scenarios include:

  • Manipulation of underwriting models to alter pricing
  • Fraudulent claims processing through system compromise
  • Exfiltration of actuarial data and pricing models
  • Compromise of reinsurance treaty data

“The most valuable red team engagements in banking are those that simulate the full kill chain — from initial access through a spear-phishing email to the moment an unauthorized SWIFT transfer is initiated. It is this end-to-end perspective that reveals the gaps that vulnerability scans and compliance audits miss.” — Sherri Davidoff, CEO of LMG Security and author of Data Breaches

5. Cryptocurrency and Digital Asset Threats

For fintech and digital asset firms, particularly those in Switzerland’s Crypto Valley:

  • Hot wallet compromise and key extraction
  • Smart contract exploitation
  • Bridge protocol attacks
  • Exchange platform manipulation
  • Custodial key management attacks

How Should Banks Structure Their Red Team Programs?

Engagement Model for Systemically Important Banks

Systemically important banks should adopt a multi-layered red team program:

Annual TIBER-CH engagement:

  • Full-scope, threat intelligence-led red team assessment
  • 6-12 month duration including threat intelligence, red team, and purple team phases
  • Conducted by TIBER-CH-accredited external providers
  • Results reported to FINMA and the SNB

Quarterly targeted assessments:

  • Focused red team exercises targeting specific high-risk areas
  • Rotating focus across SWIFT operations, trading infrastructure, digital banking, and third-party integrations
  • Can use internal red team capabilities supplemented by external specialists

Continuous validation:

  • Automated adversary simulation platforms for ongoing detection validation
  • Breach and attack simulation (BAS) across endpoint, network, and cloud controls
  • Continuous phishing simulation for employee security awareness

Purple team integration:

  • Monthly purple team sessions between red team and SOC
  • Real-time collaboration during red team exercises
  • Shared metrics and improvement tracking

Budget Allocation

ComponentTypical Annual Budget (Large Bank)Percentage
TIBER-CH engagementCHF 350,000-500,00035%
Quarterly targeted assessmentsCHF 200,000-300,00025%
Continuous validation platformsCHF 150,000-250,00018%
Internal red team salaries (3-5 FTE)CHF 600,000-900,000-
Red team tooling and infrastructureCHF 80,000-120,00010%
Training and developmentCHF 50,000-80,0007%
Purple team operationsCHF 40,000-60,0005%

For organisations seeking to implement or enhance their red team programs, experienced red team providers with financial sector specialization can help design engagement models appropriate for the organization’s size, complexity, and regulatory requirements.

What Are the Key Differences Between Red Teaming for Banks vs. Insurance vs. Fintech?

Banking-Specific Considerations

  • Real-time payment systems: Red team scenarios must account for the time-critical nature of payment processing
  • Interbank connectivity: SWIFT, TARGET2, SIX SIC, and correspondent banking relationships create unique attack surfaces
  • Regulatory capital impact: Cyber incidents can affect capital adequacy calculations
  • Systemic risk: Compromise of a systemically important bank could cascade across the financial system

Insurance-Specific Considerations

  • Actuarial data sensitivity: Pricing models and mortality/morbidity data represent unique high-value targets
  • Claims processing: Automated claims systems are vulnerable to manipulation
  • Policyholder data: Personal health and financial data subject to enhanced protection
  • Longer detection windows: Insurance fraud may not be detected for months or years

Fintech-Specific Considerations

  • Cloud-native infrastructure: Fintech companies typically operate entirely in cloud environments, requiring cloud-specific red team techniques
  • API-first architecture: APIs are the primary attack surface, requiring thorough API security testing
  • Rapid deployment cycles: CI/CD pipelines must be tested for supply chain compromise
  • Third-party integrations: Banking-as-a-service and open banking APIs create complex trust relationships
  • Cryptocurrency/DeFi: Digital asset custody and smart contract security require specialized expertise

What Are Common Red Team Findings in Financial Services?

Based on aggregated data from red team engagements across the financial sector, the most common findings include:

FindingFrequencyAverage Severity
Active Directory privilege escalation paths94%Critical
Insufficient network segmentation between zones78%Critical
Legacy system vulnerabilities in core banking72%High
MFA bypass through social engineering68%High
Inadequate monitoring of east-west traffic65%High
Excessive service account privileges62%High
Unpatched middleware and integration platforms59%Medium-High
Physical security gaps (tailgating, badge cloning)54%Medium
Cloud IAM misconfigurations51%High
Weak database access controls47%High

Case Study: Red Team Assessment of a Swiss Private Bank

Note: Details have been anonymized to protect client confidentiality.

Organization: A Swiss private bank with CHF 45 billion in assets under management, 1,200 employees, and offices in Zurich, Geneva, and London.

Engagement type: TIBER-CH-aligned red team assessment

Duration: 8 months (2 months threat intelligence, 4 months red team, 2 months purple team and remediation validation)

Scenario: Simulation of a state-sponsored threat actor targeting high-net-worth client data and SWIFT payment capabilities

Key phases and findings:

Phase 1 — Threat Intelligence: The threat intelligence provider identified three relevant threat groups and their TTPs, producing a detailed targeting report that informed red team scenario development.

Phase 2 — Initial Access: The red team achieved initial access through a spear-phishing campaign targeting relationship managers. A tailored email referencing a real investment conference led to credential compromise within 48 hours.

Phase 3 — Lateral Movement: From the initial foothold, the red team exploited Active Directory certificate services misconfigurations to escalate privileges to domain administrator within 6 days. The SOC did not detect the lateral movement.

Phase 4 — Objective Achievement: The red team achieved access to the SWIFT operator environment within 14 days of initial compromise. They demonstrated the ability to stage (but did not execute) unauthorized payment messages. Additionally, they exfiltrated a sample of client portfolio data (using synthetic data in the test environment).

Phase 5 — Detection Validation: The SOC detected the red team activity only after the team deliberately increased operational noise on day 18. The mean time to detect was 18 days, exceeding the bank’s SLA of 48 hours.

Outcomes:

  • 47 findings documented, including 8 critical and 14 high severity
  • SWIFT environment network segmentation redesigned
  • Active Directory certificate services hardened
  • SOC detection rules expanded by 34 new rules
  • Purple team exercises scheduled quarterly
  • Follow-up assessment scheduled for 6 months post-remediation

How Does DORA Change Red Teaming Requirements for Financial Institutions?

DORA’s TLPT requirements represent a significant expansion of mandatory red team testing in the EU financial sector. Key implications for financial institutions:

Expanded scope of entities: DORA applies TLPT requirements beyond just banks to include insurance companies, investment firms, payment institutions, and even critical ICT third-party service providers. This significantly expands the number of organisations that must conduct red team assessments.

Three-year testing cycle: DORA mandates TLPT at least every three years for designated significant entities. While this is a minimum, regulators expect more frequent testing for the largest institutions.

Mandatory purple teaming: Unlike earlier frameworks, DORA explicitly requires a purple team phase following each red team assessment. This ensures that findings translate into measurable defensive improvements.

Regulatory reporting: TLPT results must be submitted to competent authorities, who will use them to inform supervisory assessments. This creates strong incentives for organisations to demonstrate effective programs.

ICT third-party testing: DORA introduces the concept of pooled testing for critical ICT third-party service providers, where multiple financial entities coordinate testing of a shared provider. This is a novel approach to supply chain security validation.

What Are the Best Practices for Red Teaming in Financial Services?

Engagement Planning

  1. Start with threat intelligence: Always begin with a current threat intelligence assessment specific to your institution, geography, and sub-sector
  2. Define realistic objectives: Align red team objectives with actual adversary motivations (financial theft, espionage, disruption)
  3. Include all relevant attack surfaces: Physical, social engineering, network, application, and cloud must all be in scope
  4. Establish clear communications protocols: Define war room procedures, emergency stop protocols, and escalation paths
  5. Ensure regulatory alignment: Verify that engagement design meets TIBER-CH, DORA, or other applicable framework requirements

During the Engagement

  1. Maintain operational security: Red team activities should be known only to a minimal “white team” within the organization
  2. Monitor for real incidents: Ensure the ability to distinguish red team activity from actual attacks throughout the engagement
  3. Document everything: Thorough logging of all red team actions is essential for the purple team phase and regulatory reporting
  4. Respect ethical boundaries: Never access real customer data, execute real financial transactions, or cause operational disruption

Post-Engagement

  1. Conduct thorough purple teaming: The purple team phase is where the majority of security improvement occurs
  2. Track remediation to completion: Every finding should be tracked through remediation and validation
  3. Report to the board: Provide a board-appropriate summary of findings, risk implications, and remediation status
  4. Share anonymized insights: Contribute to sector-wide resilience by sharing anonymized findings through ISACs and regulatory channels

Frequently Asked Questions

How much does a TIBER-CH red team assessment cost?

A full TIBER-CH-aligned assessment typically costs between CHF 350,000 and CHF 500,000 for the red team phase, plus CHF 80,000-150,000 for the threat intelligence phase. Total program costs including purple teaming and remediation validation range from CHF 500,000 to CHF 750,000.

Is red teaming mandatory for Swiss banks?

TIBER-CH is mandatory for Category 1 and 2 systemically important financial institutions. For other FINMA-supervised entities, red teaming is strongly expected as part of operational resilience testing under FINMA Circular 2023/1, though not explicitly mandated.

How often should financial institutions conduct red team assessments?

Best practice is annual TIBER-CH or equivalent assessments for large institutions, supplemented by quarterly targeted assessments. DORA requires TLPT at least every three years as a regulatory minimum.

Can internal teams conduct TIBER-CH testing?

TIBER-CH requires the use of accredited external red team providers for the red team phase. Internal teams can participate in purple team activities and conduct supplementary testing between formal TIBER engagements.

What is the difference between TIBER-EU and regular penetration testing?

TIBER-EU is threat intelligence-led, covers the full organization (people, processes, technology), tests against live production environments, and is supervised by regulatory authorities. Traditional penetration testing is typically scope-limited, conducted in test environments, and focused on technical vulnerabilities rather than realistic adversary simulation.

How does DORA affect Swiss financial institutions?

While DORA is an EU regulation, Swiss financial institutions with EU operations or EU clients may be indirectly affected. Additionally, FINMA has aligned its supervisory expectations with DORA principles, and TIBER-CH incorporates similar requirements for Swiss institutions.

Sources

  1. IBM Cost of a Data Breach Report 2025 — confirms average financial sector breach cost of $5.56M (2025 data)
  2. ECB TIBER-EU — confirms ~20 EU/EEA jurisdictions plus Switzerland have implemented TIBER-EU frameworks

This industry guide is published by CybersecuritySwitzerland.com Research. Information is current as of January 2026. Regulatory requirements are subject to change; organisations should consult with legal counsel and their regulators for definitive compliance guidance.

Last updated: March 2026