FINMA-RS 08/21, originally "Operational Risks - Banks", was a circular from the Swiss Financial Market Supervisory Authority (FINMA) that defined the qualitative requirements for operational risk management for banks in Switzerland. It clarified how regulatory requirements for risk management, internal control, and organization should be interpreted with respect to operational risks. Given new international standards and technological developments, the circular was revised in 2023 and reissued as FINMA-RS 23/1 "Operational Risks and Resilience - Banks".
Content of the Revision (FINMA-RS 23/1)
The complete revision, which takes effect on January 1, 2024, now places increased emphasis on ensuring operational resilience, meaning the banks' resistance to disruptions and crises. It replaces FINMA-RS 08/21 and brings the following significant changes and innovations:
Management of Operational Risks
The new circular continues to focus on the comprehensive management of operational risks, which include IT and cyber risks, risks regarding critical data, and Business Continuity Management (BCM). It requires institutions to implement a holistic risk strategy and systematically identify, limit, and monitor operational risks. The determination and monitoring of risk tolerance by the governing body is central to this.
IT and Cyber Risks
Special attention is given to IT and cyber risks. Institutions must implement appropriate measures to ensure the confidentiality, integrity, and availability of IT systems. These include:
- Regular penetration tests and vulnerability analyses that cover all essential IT components and critical data, particularly those that are accessible via the Internet or are essential for providing critical functions.
- Scenario-based cyber exercises tailored to institution-specific threats to test the response capability to potential attacks.
Critical Data Management
Critical data essential for bank operations and regulatory purposes must be strictly protected. This data is classified according to confidentiality, integrity, and availability and managed throughout its entire lifecycle. This includes protection against unauthorized access, including in test environments.
Business Continuity Management (BCM)
BCM ensures that critical processes can be restored in case of disruptions or interruptions. It defines recovery objectives (RTO and RPO) and establishes how to respond to crises. The introduction of regular tests, including table-top exercises, ensures that the crisis organization and recovery processes are prepared for disruptions.
Operational Resilience
A key component of the new circular is operational resilience. This aims to ensure that institutions can continue their critical functions within acceptable limits even in severe but plausible crisis scenarios. For this, institutions must maintain an inventory of their critical functions and processes, define their dependencies and interruption tolerances, and test them regularly.
Reporting Requirements for Incidents
In case of significant disruptions or cyber attacks, institutions must inform FINMA within 24 hours. A detailed report must be submitted within 72 hours to document the incident and the measures taken.
Penetration Tests Become Absolutely Mandatory
Clearly and explicitly, as rarely seen, FINMA demands regular penetration tests and emphasizes management's responsibility:
The management must regularly conduct vulnerability analyses and penetration tests. These must be carried out by qualified personnel with appropriate resources. All inventoried ICT components that are accessible via the Internet must be considered. Additionally, inventoried ICT components that are not accessible via the Internet but are necessary for providing critical processes, or which contain electronic critical data, must be considered.
Furthermore, "risk-based scenario-related cyber exercises" are required - this primarily refers to Red Teaming, Phishing, Table Top exercises, and similar activities.
Based on institution-specific threat potentials, risk-based scenario-related cyber exercises17 must be conducted. The results of the exercises must be documented and reported in an appropriate form.
Thank you for your feedback! We will review it and optimize this content.
