On December 7, 2022, the Swiss Financial Market Supervisory Authority (FINMA) published the completely revised Circular 2023/01 “Operational risks and resilience”. These new regulations came into force on January 1, 2024 and brought comprehensive changes and adjustments to the previous standards. The most important points of the new requirements are explained below.
Background and objectives of the revision
The revision of the circular is a response to the increasing complexity of IT systems, technological progress and the increase in cyber attacks. The aim is to strengthen resilience to operational risks and to ensure that critical functions can be maintained even in crisis situations.
Key points of the new FINMA guidelines
Cyber risk management:
- Integration of ICT and cyber risks: Cyber risks must be considered in the context of information and communication technology risks (ICT risks).
- Reporting obligation: companies are obliged to report cyber attacks in accordance with FINMA Directive 05/2020.
Management of critical data:
- Data strategy: A comprehensive data strategy must be developed and implemented to ensure the confidentiality, integrity and availability of critical data.
- Increased security measures: Companies must take increased security precautions when handling critical data and regularly review and update them.
Business continuity management (BCM):
- Identification of critical processes: Companies must identify their critical processes and the resources required for them.
- Emergency and recovery plans: Creation and regular updating of a business continuity plan (BCP) and a disaster recovery plan (DRP).
- Regular testing: Conduct regular tests, such as simulations, to check the effectiveness of contingency plans.
Operational resilience:
- Definition of disruption tolerances: For each critical function, disruption tolerances must be defined and approved by the Board of Directors.
- Measures to ensure resilience: Measures to ensure resilience must be taken, including regular testing and adjustments to “serious but plausible” scenarios.
- Inventory of critical functions: An inventory of critical functions must be maintained and updated.
Requirements for systemically important banks:
- Continuation of critical services: There are specific requirements for the continuation of critical services during the resolution and recovery of systemically important banks.
Conclusion
The new FINMA guidelines ensure that Switzerland is better prepared against operational risks and cyber threats. By integrating modern risk management practices and emphasizing operational resilience, critical functions can be maintained even in times of crisis, thus ensuring their stability.
If you still need help with the implementation, we are always there for you. Register for an appointment via our website and our experts will be happy to support you with the implementation.
Related posts
The Importance of Cybersecurity Risk Management
The Importance of Cybersecurity Risk Management In today’s evolving digital world, the growing threat of cybersecurity risks looms over businesses large and small. While the threat to day-to-day operations is certainly a factor to be weighed, companies must also address the risks that can come with a cybersecurity incident such as a data leak or<a href="https://zazoon.com/cybersecurity-risk-management/">Continue reading <span class="sr-only">"The Importance of Cybersecurity Risk Management"</span></a>
The US-China trade dispute Europe and GRC
The trade dispute between the USA and China is having a profound impact on the global economy. We would like to shed light on what consequences this could have for Europe and what GRC measures European companies should take to best prepare for the challenges. Background to the trade conflict The trade conflict began in<a href="https://zazoon.com/the-us-china-trade-dispute-europe-and-grc/">Continue reading <span class="sr-only">"The US-China trade dispute Europe and GRC"</span></a>