Cybersecurity for Fiduciaries: How to Protect Client Data

Fiduciary firms manage their clients' most sensitive data: annual accounts, tax returns, payroll data, contracts. A cyberattack threatens not only the firm itself, but professional secrecy and the livelihoods of its clients.

A Thursday morning in March. The partner of a Zurich fiduciary firm opens her laptop to find every client dossier encrypted, the backup drive as well. 1,200 clients affected: tax returns, payroll statements, annual accounts, contracts. The attacker demands CHF 80,000 in Bitcoin. This scenario is not fiction. According to the SME Cyber Study 2025, 16% of Swiss SMEs have been hit by a cyberattack in the past five years. Fiduciary firms are particularly attractive targets because they store the financial data of dozens to hundreds of companies in one place.

Professional Secrecy and nDSG Obligations

Professional secrecy under Art. 321 SCC (Swiss Criminal Code) and the duty-of-care provisions of the nDSG (Swiss Data Protection Act) set a high bar. Fiduciaries process particularly sensitive personal data: payroll data, tax data, debt enforcement records, and in some cases health information from occupational pension (BVG) files. A data breach triggers a reporting obligation to the FDPIC (Federal Data Protection and Information Commissioner) and can result in fines of up to CHF 250,000 against the responsible individual. On top of that comes civil liability towards clients. Treuhand Suisse explicitly recommends under its Treuhand 4.0 initiative that cybersecurity be treated as a strategic topic at management level.

The Five Most Important Protective Measures

First, multi-factor authentication for all access points, especially fiduciary software, e-banking interfaces and cloud storage. Second, store client data encrypted (at rest and in transit) and restrict access strictly on a need-to-know basis. Not every employee needs access to every dossier. Third, configure email security with SPF, DKIM and DMARC. Spoofed emails sent in the fiduciary's name to clients (business email compromise) are a common attack pattern. Fourth, offline backups following the 3-2-1 rule, tested monthly and stored in a physically separate location. Fifth, a documented data deletion policy, because fiduciary firms often retain former clients' data for years without a legal basis.

Supply Chain and Software Vendor Risk

A frequently underestimated risk is the supply chain. Fiduciary firms use specialised software (Abacus, Sage, Bexio, Infoniqa), e-banking interfaces and cloud services. Each of these connections is a potential entry point. Check whether your software vendors operate an ISMS, what their patch cycles look like and whether data is hosted in Switzerland. Require your IT service providers to furnish evidence of regular security audits. Since the ISG (Information Security Act) reporting obligation came into force, IT service providers for critical infrastructures are also subject to mandatory reporting, which increases the pressure across the entire chain.

Next Steps

MilesGuard offers fiduciary firms a tailored security assessment: we review your infrastructure, your software landscape and your organisational measures against the requirements of the nDSG and the recommendations of Treuhand Suisse. You receive a prioritised action plan, and on request we support the implementation as an external security officer (vCISO). This protects not only your own firm, but the trust of your clients.