Cybersecurity and System Resilience
Cybersecurity and data protection are core elements of the SMG sustainability strategy, reflected in the pillar securing our digital future. Responsibilities are allocated across business units to protect customer trust.
Data Protection and Cybersecurity Governance
Data protection and cybersecurity governance at SMG is overseen by the Board of Directors and the CEO, supported by the Group Director Security, Trust, and Safety, and the Data Protection Officer. The Group Director Security, Trust, and Safety leads the Security, Trust, and Safety Team, which is responsible for strategy development, target setting, and the processes that underpin SMG’s security posture. The Data Protection Officer heads the Data Protection Team, and serves as the primary point of contact for Swiss data protection authorities.
Single points of contact (SPOCs) within each business unit and Privacy and Security Champions in product and engineering teams contribute to Group-wide engagement and coordinated implementation of processes and initiatives. Close collaboration between the Group Director Security, Trust, and Safety and the Data Protection Officer ensures alignment of cybersecurity and data protection activities across business functions.
The Security, Trust, and Safety Team provides regular updates to the Group Compliance Officer, the Executive Leadership Team, the RAC, and the Board of Directors.
Cybersecurity and System Resilience
Cybersecurity plays a central role in protecting customers and sustaining trust in SMG’s online marketplaces. SMG is exposed to a dynamic threat landscape shaped by increasing digitalisation and rapid technological change.
The 2025 DMA underscores the relevance of this topic, showing the different ways, both positive and negative, that cybersecurity and system resilience impact customers, platform integrity, and the reliability of digital operations.
A strong online presence comes with persistent security risks such as botnets, spammers, ransomware, malware, intrusion attempts, data exfiltration, and marketplace fraud. Without effective mitigation, these threats can compromise personal data or disrupt secure transactions, resulting in identity theft, financial fraud, or loss of customer confidence. This directly impacts customer safety and trust in digital services.
Cyber risks can also emerge beyond SMG’s infrastructure, where third parties manage, host, or process customer data. These partners – including cloud service providers, software suppliers, and IT vendors – are part of the ecosystem that determines platform resilience.
AI can boost resilience by improving the detection of phishing, fraud, and anomalous activity, enabling faster threat identification and a more secure user experience. At the same time, employee use of AI tools can introduce risks if they involve internal systems or external platforms without sufficient governance. Inadequate oversight of training data, model performance, and data processing can compromise privacy, jeopardise personal data, and lead to bias and other ethical concerns. As AI adoption scales up, robust governance and clear controls become increasingly important. Employee awareness and training promote security culture and reduce the likelihood and impact of incidents.
Together, these insights highlight the need for an adaptive, comprehensive approach to cybersecurity that manages risks to customers and platforms while leveraging technology and capability building.
Policy Landscape
Cybersecurity is addressed in the overarching Security Policy, which covers physical security, cybersecurity, and information and data security. It applies to all employees as well as contractors and other third parties who have access to or interact with the infrastructure, systems, services, or premises.
Related policies and directives include the Workplace Security Guideline, the Vulnerability Management Guideline, the AI Guideline, the Incident Management Guideline, and the Crisis Management Guideline. All directives are reviewed at least once a year to ensure they reflect developments in the digital landscape and remain aligned with SMG’s strategic goals.
Security Controls and Mitigation Measures
The information security management system (ISMS), based on the ISO/IEC 27001 standard, forms the foundation for identifying, preventing, and mitigating cybersecurity risks. The ISMS helps protect systems and data from unauthorised access and service disruption, and supports incident reporting and remediation.
The ISMS covers policies, security testing and vulnerability scanning, as well as automated monitoring through security information and event management (SIEM) and security orchestration, automation, and response (SOAR). Platforms and critical systems feature preventive controls including access automation, mandatory security requirements, firewalls, data-enriched intelligence tools for detecting suspicious activity, and fraud detection and prevention mechanisms.
Application security is assessed through a combination of static and dynamic testing, a bug bounty programme, and a vulnerability disclosure programme, complemented by regular penetration testing that identifies and addresses vulnerabilities.
Robust Authentication
Authentication controls are a critical component of customer and employee account security. SMG uses risk-based measures to help prevent phishing and account takeovers, including multi-factor authentication (MFA) and passwordless, phishing-resistant login.
Passwordless (biometric) login is available to all employees and used by a significant proportion. SMG introduced adaptive MFA for customers in 2024. Overall MFA adoption has increased by a factor of 3.5. At least one MFA method is now available in every business unit, and MFA is mandatory for all business customers. This has resulted in 90% uptake in Real Estate and 100% uptake among Automotive business customers. SMG continues to expand MFA coverage and adoption across its platforms. SMG has also introduced passkeys, an innovative technology that provides phishing-resistant MFA without the need for passwords. Additional account security features and proactive reviews of listings before publication further boost platform safety.
Secure Transactions
On Ricardo, MoneyGuard facilitates secure transactions by allowing sellers to offer payment methods such as TWINT and credit cards without sharing sensitive bank details. Funds are held until buyers confirm receipt of their items, resulting in transparent, reliable transactions.
Preventive controls also extend to third-party providers that manage, host, or access customer data on behalf of SMG. Vendor due diligence includes a risk assessment in the contracting phase which reviews technical and organisational measures, data processing agreements, and the provider’s security posture, including relevant certifications.
Incident Response Process
A dedicated security and privacy incident response process enables rapid detection, escalation, and remediation of security incidents (for details, see Data Protection). Business unit-specific reporting channels allow employees, partners, and customers to raise issues promptly, which allows for timely investigation and resolution. Each platform maintains a dedicated security inbox managed by the business unit Security Lead, with reports centrally consolidated through SMG’s security reporting channel.
Harnessing the Power of Artificial Intelligence
In 2025, SMG defined a dedicated process for accessing and reviewing AI tools, including model context protocol (MCP) servers and other customer integrations. This process helps manage risk for SMG and its platforms, while enabling employees to use new technologies and customers to benefit from them.
Engineering teams receive guidance, training, and support in promoting the secure, effective use of AI and large language models. Awareness-building activities during the reporting year included AI-focused sessions to help employees adopt new tools safely.
Security Assurance and Operational Resilience
Security assurance and operational resilience activities enhance the effectiveness of SMG’s cybersecurity controls and the continuity of platform operations. Measures such as penetration tests and third-party security audits support early vulnerability identification, boost security practices, and drive continuous improvement of SMG’s security posture.
Bug bounty programmes and the vulnerability disclosure programme enable internal and external parties – including employees, security researchers, industry partners, vendors, customers, and consultants – to report potential vulnerabilities, which aids in early detection.
Testing activities include annual third-party security audits across all platforms, as well as internal evaluation frameworks and KPIs that assess risk treatment and adoption of security directives. The Group runs regular risk assessments in line with ISO 27001 criteria. Security posture and maturity are measured through cybersecurity and trust and safety evaluation frameworks, with metrics such as cyber quotient evaluation (CyQU) and rapid risk assessment (RRA). Group Security reviews the results to ensure continuous improvement.
IAZI applies the SOC Type 2 framework, with certification renewed in 2025 following an external audit.
There were no cybersecurity incidents with a material impact on business continuity or regulatory compliance identified in the reporting period. Minor incidents and attempted attacks were managed through established detection and response processes and did not result in significant operational disruption.
Empowering Employees as a Crucial Line of Defence
Employees play a central role in cybersecurity resilience. New hires undergo mandatory training through SMG’s Learning Universe (SLU), while a range of programmes ensure continuous learning. The annual Cybersecurity Month and other events reinforce awareness throughout the year. The 2025 Cybersecurity Month featured four dedicated events and two competitions, with around 360 employees actively participating in specialised and interactive sessions.
During the reporting year, an automated hands-on platform continued to boost awareness and phishing resilience, with over 70% of employees actively using the tool. Additional training included Amazon Web Services (AWS) disaster recovery simulation game day training for over 100 engineers. A similar crisis disaster simulation session for the Executive Leadership Team and relevant directors bolstered management preparedness for security incidents.
Advancing Cybersecurity beyond SMG
Cybersecurity at SMG goes beyond the Group’s own systems and platforms. Initiatives that promote digital literacy, support cybercrime prevention, and engage with industry partners contribute to a more secure digital environment in Switzerland and throughout Europe.
SMG collaborates with law enforcement agencies to help stop cybercrime in Switzerland, including research and prevention work with the Swiss Crime Prevention Initiative and public authorities. Participation in industry initiatives such as the Fast IDentity Online (FIDO) Alliance and digitalswitzerland helps increase trust in digital ecosystems, advance global authentication standards, and reduce reliance on passwords.
Knowledge sharing is another element of SMG’s external engagement. In 2025, this included keynote contributions at international cybersecurity events in the Netherlands and Germany, such as Identity Week. During Cybersecurity Month in October and other events throughout the year, SMG shares insights and best practices via its blog, podcasts, and social media channels to promote safer online behaviour, with a focus on phishing, account takeovers, and fraud.