Where private banks are concerned, what counts is how they show that decisions remained sound, documented and defensible when their information environment came under stress. The author looks at examples from around the world to examine the cyber threats banks face, and how to manage them.

The following article comes from Boecyàn Bourgade (pictured below), who is an independent researcher and writer based in Switzerland. She addresses the cybersecurity liabilities that face private bankers – a topic all too real at a time when client information is physically and digitally threatened. (Bourgarde has written for this news service before.)

Bourgade, who has written for publications such as The European Scientist, The World Financial Review and Fair Observer, aims her insights at senior professionals in private banking, asset management and regulatory functions. The editors are pleased to share these insights; the usual editorial disclaimers apply to views of guest writers. To comment, email tom.burroughes@wealthbriefing.com and amanda.cheesley@clearviewpublishing.com.

Boecyàn Bourgade

The July 2024 global outage linked to CrowdStrike was not described as a cyberattack. Yet it disrupted financial firms, trading operations and market infrastructure across several regions, with difficulties reported from London to Singapore. For financial institutions, the episode was a useful warning: operational disruption does not need to involve data theft, malicious intrusion or system compromise to affect the conditions under which financial decisions are made.

The same point applies to third-party risk. In June 2025, UBS and Pictet were reported to have been affected by a data leak following a cyber attack on Chain IQ, an external service provider in Switzerland. UBS stated that client data had not been compromised. That distinction is important. But the incident still underlined a broader reality for private banks: exposure can arise through external dependencies, even when the bank’s own core systems and client-facing services appear formally contained.

These examples matter because private banking is not only a business of transactions. It is a business of judgment. Portfolio allocation, risk management, suitability, client advisory work and investment recommendations all depend on the quality of the information available at the time a decision is made. If that informational environment is delayed, fragmented, inconsistently sequenced or degraded, the issue is no longer only whether a system was technically secure. It is whether the decision made based on that system remains defensible.

This is where cyber risk begins to move beyond the traditional operational frame. Private banks have usually assessed cyber incidents through visible failures: unauthorised access, data breaches, fraud, operational shutdowns, client data exposure or breakdowns in internal controls. In that framework, liability tends to follow the incident. A system is breached, data is stolen, controls fail and responsibility is assessed accordingly.

That model remains relevant, but it is becoming incomplete. Some forms of cyber-related disruption do not present as a conventional breach. Systems may continue to function. Data may appear intact. Compliance checks may be formally completed. Yet the conditions under which information is received, processed and interpreted may still be materially affected.

For a private bank, that distinction has practical consequences from the outset. A delayed data feed can affect the timing of a portfolio reallocation. A disruption at an external provider can weaken confidence in information flows. Inconsistent access to systems can affect execution, reporting, client communication and audit trails. A fragmented view of market conditions can influence how risk is interpreted by advisors, investment committees or portfolio managers.

The issue is therefore not only about data integrity in the narrow technical sense. It is decision integrity.

Consider a scenario in which a private bank executes a portfolio adjustment based on market signals that are technically accurate but delayed or inconsistently sequenced across internal systems. No unauthorised access is detected. No data is visibly altered. The formal compliance process is completed. Yet the decision reflects an incomplete or distorted view of market conditions at the time it was made.

If losses arise, the legal and governance question is no longer limited to whether the system was breached. It becomes whether the institution exercised adequate care in ensuring that the informational basis of the decision was sufficiently reliable.

This creates a structural gap between technical classification and legal consequence. A bank may be able to say that no cyber attack occurred, no client data was compromised, and no control was formally bypassed. But that may not be enough if a claimant, regulator or internal review later asks whether the decision-making environment was robust enough to support the fiduciary judgment expected of a private bank.

The difficulty is especially acute in private banking because many decisions are not purely mechanical. They involve interpretation: the suitability of a recommendation, the timing of an allocation, the weighting of risk factors, the way market conditions are communicated to a client, or the way a client’s objectives are translated into portfolio action. These judgments depend on information that is not only correct, but timely, coherent and explainable.

This has direct implications for internal governance. Private banks may need to evidence not only that systems were secure, but that the conditions supporting important decisions were monitored and remained within acceptable bounds. That could mean stronger controls over data consistency, timing, source reliability, escalation procedures and documentation. It also requires closer coordination between cybersecurity, compliance, legal, risk, investment and front-office teams.

The Chain IQ incident illustrates why this is not limited to internal systems. Outsourcing and third-party arrangements are now central to the operating model of many financial institutions. Procurement platforms, cloud services, data providers, cybersecurity tools, client communication systems and administrative service providers can all become part of the decision infrastructure. A failure outside the bank can still affect the bank’s ability to evidence control, continuity and sound judgment.

Regulators are already moving in this direction. FINMA’s 2025 Risk Monitor identifies cyber, ICT and outsourcing risks as significant risks for the Swiss financial centre and calls for more robust controls over the outsourcing of critical functions. It also points to concentration risk around a narrow group of service providers. This is particularly relevant for private banks, whose resilience increasingly depends on infrastructures which they do not fully control.

The wider regulatory landscape points the same way. In the European Union, the Digital Operational Resilience Act places greater emphasis on ICT risk management, incident reporting, resilience testing and oversight of critical ICT third-party providers. In the UK, the operational resilience framework requires financial firms to be able to deliver important business services through disruption, including disruption linked to cyber incidents, IT outages and third-party supplier failures. At the international level, the Basel Committee’s principles on operational resilience also frame cyber incidents and technology failures as events that can threaten critical operations and market functioning.

The direction is clear: regulators are less interested in a narrow distinction between “IT problem” and “business problem.” They increasingly expect firms to understand how technology, outsourcing, cyber resilience, governance and client outcomes are connected.

For private banks, this changes the legal and operational question. It is not enough to ask whether systems are protected against intrusion. Banks must also ask whether the information environment around client decisions remains reliable enough to support the advice being given, the trades being executed and the records being retained.

Existing compliance frameworks are not always designed for this. They tend to focus on discrete, identifiable events: unauthorised transactions, reporting failures, breaches of control, failed approvals or client data incidents. They are less equipped to deal with situations where no specific rule has been violated, but the decision-making process has nevertheless been affected by degraded informational conditions.

That creates exposure without an obvious point of failure. A decision taken on incomplete, delayed or subtly distorted information may remain formally compliant while still raising questions under fiduciary and governance standards. The absence of a breach does not necessarily eliminate liability if the institution cannot demonstrate that its decision process remained robust.

This is where auditability becomes important. In a more complex cyber and outsourcing environment, private banks will need to show not only what decision was made, but how the information supporting that decision was validated. Which systems were relied on? Were any providers experiencing disruption? Were timing delays known? Were inconsistencies escalated? Was the client communication based on a complete and current view of the situation? Were investment and compliance teams working from the same information?

These questions may sound operational, but they are also legal. They help determine whether a bank can defend the quality of its judgment after the fact.

The practical takeaway is therefore straightforward. Private banks should treat cyber risk not only as an IT security issue, but as a condition of reliable decision-making. That means mapping which systems and third parties support client advice, portfolio construction, execution, reporting and record-keeping. It also means testing how decisions are made when information is delayed, incomplete or inconsistent, and ensuring that governance frameworks capture these grey-zone disruptions before they become legal disputes.

Cyber risk in private banking is no longer limited to the protection of data or the continuity of systems. It increasingly concerns the reliability of the environment in which fiduciary judgment is exercised.

For private banks, the central question is no longer only whether systems are secure. It is whether the institution can demonstrate that its decisions remained sound, documented and defensible when the informational environment around those decisions came under stress.