Swiss financial regulator, FINMA, adopts ‘Resilience by Design’

As digital transformation increases unabated, so does a financial institution’s level of exposure to digital threats and risk of disruption due to technology or software failure.

In line, the regulation of financial services continues to develop across the globe, with the European Union’s Digital Operational Resilience Act (DORA) and the Directive on Security of Network and Information Systems (NIS2) both entering into force on 16 January 2023.

Last month, the Swiss Financial Market Supervisory Authority, FINMA, was the latest regulator to publish guidance with a revised circular "Circular 2023/1 Operational risks and resilience – banks" on operational risks and resilience at bank.

What are the key points of the guidance?

The new guidance sets out how banks can increase their capacity to overcome severe, complex, systemic, or prolonged operational problems with a particular focus on information and communication technology, handling critical data and cyber risk.

In order to minimise the impact of disruptions on the provision of critical functions, an institution will be expected to:

• identify threats and possible failures
• protect itself from them
• respond to them
• restore normal business operations in the event of disruptions and
• learn from them

An operationally resilient institution will be deemed as one that has incorporated principles of ‘Resilience by Design’ to make it less exposed.

The guidance lists out many scenarios in which an organisation should be able to maintain critical functions, including:

• a pandemic,
• a power shortage,
• a prolonged downtime resulting from the insolvency of a key service provider (as an example of a stressed exit by a service provider) or
• a long-term prohibition of foreign governments.

There is a relatively tight timeline associated with the guidance scheduled to come into force from 1 January 2024, replacing the Swiss Bankers Associations Recommendations for Business Continuity Management, that are recognised as the existing minimum standard for regulated banks.

Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience comments:

“Both DORA and NIS2 have had their respective timelines confirmed recently, marking a real push to drive up standards and ensure organisations are focused on playing their parts in building a responsible and sustainable industry.

We are pleased to see FINMA embracing principles of ‘Resilience by design’ in this latest guidance.

A key area of focus for institutions must be the development of business continuity and incident management plans that outline how they will respond to and recover from an event that disrupts the ongoing provision of critical functions and services.

When it comes to managing and limiting the potential impact of disruptive events, such as the loss of a key supplier or software failure, Escrow agreements are the only proportional, tried and tested method on the market that can provide a level of assurance that critical functions will be maintained. When the source code behind critical applications and software is held in Escrow, there comes a peace of mind that no matter what disruption is happening in your supply chain, you will always have access to it.

Indeed, regulators globally – including in the UK, Singapore and the US – recommend software escrow as a key practical solution in mitigating such risk.”