Digitalisation, information security, data protection and privacy

Relevance of the topic

Progress in digitalisation is fundamentally changing the financial sector and opening up new opportunities for innovative services and efficient processes. At the same time, the demands placed on the protection of sensitive data and the security of digital systems are increasing.

Due to their business activities, banks hold particularly sensitive data – especially personal data relating to identified or identifiable people. LUKB is obliged by Swiss bank-client confidentiality and data protection law to protect this data comprehensively.

Beyond adhering to the legal requirements, LUKB attaches great importance to protecting the privacy of clients, employees and business partners throughout the Group, as data protection forms the basis for long-term relationships built on trust.

With increasing connectivity and digitalisation, cybersecurity and information security are becoming increasingly important. Cyber attacks represent a mounting threat. Moreover, the growing complexity of modern information and communication technologies (ICT) and their deeply interconnected nature are further increasing the potential risks in the financial sector.

Principle

LUKB protects data and privacy in accordance with the Swiss Data Protection Act, the Swiss provisions on bank-client confidentiality as well as all applicable regulatory provisions. To this end, it maintains a responsible organisation, effective processes and a robust ICT infrastructure. Handling sensitive information responsibly involves not only protecting it from unauthorised access, but also being transparent about the purposes for which data is processed. By adopting a comprehensive data governance system, LUKB has also defined binding principles, responsibilities and control mechanisms for handling data.

Data protection and information security are integral components of risk management. Risks are systematically identified, evaluated, contained and reported to the offices responsible. LUKB takes a holistic approach to guarantee the integrity, availability and confidentiality of all data as well as secure banking operations. This is based on comprehensive internal guidelines, established standards, clear responsibilities and state-of-the-art protective mechanisms. Preventive measures include regular security reviews, penetration tests, contingency and recovery plans as well as practical implementation tests.

LUKB ensures that digital innovations, including applications based on artificial intelligence (AI), are always implemented responsibly and in compliance with the strictest security standards and data protection requirements.

Targets

By taking appropriate technical and organisational measures, LUKB can continue to avoid data incidents, information security breaches and operational outages. It protects the data and privacy of its clients, employees and other business partners and stakeholders in accordance with applicable laws and regulations. The current threat situation must always be kept in view. The company's own infrastructure needs to be tested for vulnerabilities on an ongoing basis and upgraded if necessary.

Status in 2025

Digitalisation

As part of its ‘LUKB30’ strategy, LUKB is further strengthening its technology and data expertise. Through the use of state-of-the-art technologies – including AI – and data-driven sales management, it aims to further improve its offerings, the client experience and efficiency. At the same time, it is further developing its online channel into an integrated sales, transaction and communication channel.

LUKB regulates responsibilities for digitalisation and the use of AI in the areas of development, integration, operations, awareness and training within the existing organisational units. AI is deployed in accordance with LUKB's existing policies, principles and strategies as well as the applicable laws and regulatory requirements.

AI is used as long as it is ethically justifiable, fair and non-discriminatory. LUKB provides information on the use of AI where this is relevant for individuals (clients, employees and applicants) and insofar as they interact directly with AI.

LUKB promotes the acquisition of application experience and the implementation of specific AI training courses (best practices, security, data protection, etc.) for its employees. This also includes the provision of tools such as instructions and points of contact through which support is available.

When using AI, the focus is on prevention, including training employees on how to use AI correctly. Employees must be regarded as an integral part of the development, implementation and operation of AI systems. Human monitoring, evaluation and error correction ensure transparent, (technically) correct, comprehensible and responsible AI-based decision making. This also involves critically questioning the use of AI tools.

LUKB strives to ensure that the content and predictions generated by AI are of a quality that is commensurate with the intended use. Within the ambit of AI projects, measures are implemented to ensure compliance with the information security protection objectives (confidentiality, availability and integrity).

The risks associated with AI are identified, assessed and monitored within the scope of the existing risk types (operational, compliance and reputational risks). LUKB only uses AI applications that it understands, and it must also be able to explain and control them. It ensures that data subjects can also exercise the right to access, the right to rectification and the right to object to AI services.

Information and cybersecurity

Governance and risk management

LUKB manages its information security and cyber risks using clearly defined responsibilities, international standards and a three-stage defence model. Strategic requirements and operational implementation are closely coordinated and are subject to strict internal controls.

In its role as the highest governing body, the Board of Directors is responsible for defining cyber risk and business continuity management (BCM) strategies as well as risk policy. The Risk and Strategy Committee of the Board of Directors specifies the requirements of the risk policy in corresponding sub-policies and monitors the implementation of the risk strategies. Overall operational responsibility for cyber risks lies with the Group Executive Board, which delegates implementation to the relevant operational units. Implementation, control and monitoring are implemented organisationally in the form of the three independent lines of defence according to FINMA Circular 2017/01 ‘Corporate governance – banks’1), whereby the Chief Information Security Officer (CISO) is assigned to the independent second line of defence.

Aligned with the objectives of the Group, ICT, BCM and cyber risk strategy, the risk policy defines the framework concept for institution-wide risk management as a tool for achieving the business policy objectives and ensuring the proper functioning of the institution. The operational risks sub-policy specifies the principles set out in the risk policy for managing LUKB's operational risks, in particular with regard to the cyber risks it incorporates. The corresponding security principles are defined at directive level based on the NIST Cyber Security Framework2) and ISO 27002:20223) international standards. The security principles are specified in the LUKB Security Handbook with corresponding security requirements.

1) https://www.finma.ch
2) https://www.nist.gov
3) https://www.iso.org

The Board of Directors, the Risk and Strategy Committee of the Board of Directors (RSC-BoD) and the Group Executive Board are regularly informed about cyber risks as part of the reporting on operational risks (quarterly reporting by means of the risk report of the independent second line of defence and ad hoc if necessary) and are involved in decisions depending on the assessed risk.

Compliance with the regulatory requirements is periodically reviewed by the internal auditors and the external audit firm. As the regulatory supervisory authority, FINMA also carries out on-site inspections of its supervised entities.

Security measures

The following provides an overview of the implemented security measures relevant to LUKB. LUKB is guided by the NIST Cyber Security Framework (National Institute of Standards and Technology).

Identify: LUKB conducts regular risk analyses and risk assessments. The main ICT providers monitor selected systems for vulnerabilities on a 24/7 basis. LUKB has access to the information and reporting platform of the National Cyber Security Centre (NCSC) and thus receives timely alerts on cyber threats.

Protect: The main ICT providers have implemented customary baseline ICT protection, which is contractually guaranteed as part of ICT provider management. LUKB employees attend regular security awareness training. Operating in conjunction with internal and external security experts, LUKB monitors compliance with the guidelines on the protection of critical data by means of technical and organisational security measures. In addition, LUKB carries out regular penetration tests together with external experts in order to secure its ICT systems and check for any vulnerabilities.

Detect: The Security Operation Centres (SOC) of the main ICT providers monitor their own systems and the LUKB systems for cyber attacks on a 24/7 basis. Clients and employees are able to report security incidents (such as vulnerabilities) via the existing escalation processes.

Respond: The Security Operation Centres (SOC) of the main ICT providers react to any cyber attacks together with the LUKB ICT and security units. If necessary, they are supported by Swisscom's Computer Security Incident and Response Team (CSIRT). LUKB operates an internal crisis organisation and has prepared for serious, yet plausible scenarios by means of business continuity plans and regular exercises.

Recover: In an emergency, the main ICT providers restore the critical systems by means of disaster recovery plans (DRPs) as part of the agreed service level agreements (SLAs).

Relevant regulations and standards

The following list is a non-exhaustive overview of the relevant regulations and standards that are taken into account in governance and risk management in the area of information security and cybersecurity:

  • Federal Act on Banks and Savings Banks (BankA)
  • Federal Act on Data Protection (FADP)
  • Federal Act on Information Security (ISA)
  • Cybersecurity Ordinance (CSO)
  • FINMA Circular 2017/01 ‘Corporate governance – banks’
  • FINMA Circular 2018/03 ‘Outsourcing’
  • FINMA Circular 2023/01 ‘Operational risks and resilience – banks’
  • FINMA Guidance 05/2020
  • FINMA Guidance 03/2024
  • FINMA Guidance 08/2024
  • ISO 27001 and ISO 27002:2022
  • NIST Cyber Security Framework

Data protection

In 2023, LUKB implemented the new and updated provisions of the revised Swiss Federal Act on Data Protection (FADP) and took the resulting organisational, contractual and technical action required to guarantee compliance with data protection law. On 15 January 2024, the European Commission decided that the FADP is equivalent to the EU General Data Protection Regulation (GDPR) (equivalence decision).

LUKB provides transparent and detailed information on data protection1) and information security2) on its website. In the case of current information security issues, information to protect clients and their assets is provided on a topical ad hoc basis.

1) https://www.lukb.ch/ueber-uns/rechtliches/datenschutzerklaerung
2) https://www.lukb.ch/ueber-uns/rechtliches/informations-und-cybersicherheit

According to the applicable data protection law, clients,employees and third parties (including external staff) have the right of access as well as the rights to rectification and deletion, the right to restrict processing, the right to object and the right to data portability with regard to data concerning them. In addition, they have the right to lodge a complaint with the responsible data protection supervisory authority. LUKB seeks to comply with the principle of data minimisation, which means that only data that is absolutely necessary is collected and processed. The retention period is determined and data is deleted in line with legal requirements and based on the operational needs of the Bank. If personal data is no longer required, it is periodically deleted – as far as technically possible – unless temporary further processing or storage of the data is necessary for the fulfilment of statutory or regulatory retention obligations, for the assertion, exercise or defence of legal claims or for special retention regulations. If clients make use of their right of access as well as rights to rectification, deletion, restriction of processing, objection or data portability, LUKB shall provide the necessary information, rectify or delete the data, restrict its processing or transfer the data requested to the client or third parties commissioned by them, insofar as this is not restricted by law.

LUKB's outsourcing partners are contractually bound by the corresponding data protection obligations (technical and organisational measures to ensure compliance with data protection and data security). LUKB ensures that agreements can be made with the outsourcing partners as regards the storage of data in Switzerland wherever possible. The same data protection provisions apply to outsourcing partners as to LUKB itself. Compliance is checked within the scope of provider management.

Operational responsibilities and authorities for implementing legal data protection requirements are clearly defined. The Board of Directors (BoD) of LUKB is responsible for the overall management, supervision and control in the area of data protection. It monitors compliance with the relevant laws and regulations. The responsible committee of the BoD is the Audit and Finance Committee (AFC-BoD). The Executive Board of LUKB is responsible for operational implementation. The Head of Legal Services & Compliance assumes the legally prescribed duties as the internal data protection advisor. The Executive Board has issued internal directives on compliance with data protection, which are applicable to all employees. The Executive Board also conducts an annual evaluation of the management of data protection and data protection risks in terms of their fitness for purpose and effectiveness, and ensures that the material and human resources needed for efficient management are in place. The Executive Board deals with internal reports on data protection issues. At Executive Board level, responsibility for data protection lies with the CEO.

Compliance with data protection requirements is also monitored by the independent Compliance units. In addition, LUKB has a data protection advisor. The data protection advisor is the Head of Legal Services & Compliance. The data protection advisor serves as a point of contact for questions and requests for information in connection with data protection. The Compliance function, which reports directly to the CEO, reports annually to the Executive Board, the AFC-BoD and the BoD. It has the authority and remit to approach the Executive Board and the BoD directly in exceptional cases.

Regular awareness-raising campaigns and training courses on data protection and information security are run for all LUKB employees as needed, but at least once a year. This training is compulsory and participation is monitored.

LUKB is interested in long-term, partnership-based business relationships with clients, suppliers and service providers alike. Where service providers (including external staff) are engaged and services outsourced, LUKB obliges suppliers and service providers to uphold bank-client and business confidentiality and to comply with data protection law. These obligations are contractual in nature and compliance with them is checked regularly.

Employee misconduct and breaches of data protection are subject to disciplinary action. Depending on the severity of the misconduct, the sanctions range from a verbal warning to dismissal or even a report to the law enforcement authorities.

LUKB also ensures that internal and external audits are carried out to verify whether the legal requirements and the requirements set out by the supervisory authority are being complied with. The external auditors periodically review areas such as IT, including the handling of electronic client data. No internal or external audits explicitly focused on data protection compliance were carried out in 2025.

No relevant incidents involving client data were identified during the reporting year. Any scope for improvement identified is acted upon immediately.

LUKB did not record any significant complaints relating to data protection during the reporting year.