Skip to content
Shutterstock ID: 1724892874
Shutterstock ID: 1724892874

News -

Swiss financial regulator, FINMA, adopts ‘Resilience by Design’

As digital transformation increases unabated, so does a financial institution’s level of exposure to digital threats and risk of disruption due to technology or software failure.

In line, the regulation of financial services continues to develop across the globe, with the European Union’s Digital Operational Resilience Act (DORA) and the Directive on Security of Network and Information Systems (NIS2) both entering into force on 16 January 2023.

Last month, the Swiss Financial Market Supervisory Authority, FINMA, was the latest regulator to publish guidance with a revised circular "Circular 2023/1 Operational risks and resilience – banks" on operational risks and resilience at bank.

What are the key points of the guidance?

The new guidance sets out how banks can increase their capacity to overcome severe, complex, systemic, or prolonged operational problems with a particular focus on information and communication technology, handling critical data and cyber risk.

In order to minimise the impact of disruptions on the provision of critical functions, an institution will be expected to:

  • identify threats and possible failures
  • protect itself from them
  • respond to them
  • restore normal business operations in the event of disruptions and
  • learn from them

An operationally resilient institution will be deemed as one that has incorporated principles of ‘Resilience by Design’ to make it less exposed.

The guidance lists out many scenarios in which an organisation should be able to maintain critical functions, including:

  • a pandemic,
  • a power shortage,
  • a prolonged downtime resulting from the insolvency of a key service provider (as an example of a stressed exit by a service provider) or
  • a long-term prohibition of foreign governments.

There is a relatively tight timeline associated with the guidance scheduled to come into force from 1 January 2024, replacing the Swiss Bankers Associations Recommendations for Business Continuity Management, that are recognised as the existing minimum standard for regulated banks.

Wayne Scott, Regulatory Compliance Solutions lead, NCC Group Software Resilience comments:

“Both DORA and NIS2 have had their respective timelines confirmed recently, marking a real push to drive up standards and ensure organisations are focused on playing their parts in building a responsible and sustainable industry.

We are pleased to see FINMA embracing principles of ‘Resilience by design’ in this latest guidance.

A key area of focus for institutions must be the development of business continuity and incident management plans that outline how they will respond to and recover from an event that disrupts the ongoing provision of critical functions and services.

When it comes to managing and limiting the potential impact of disruptive events, such as the loss of a key supplier or software failure, Escrow agreements are the only proportional, tried and tested method on the market that can provide a level of assurance that critical functions will be maintained. When the source code behind critical applications and software is held in Escrow, there comes a peace of mind that no matter what disruption is happening in your supply chain, you will always have access to it.

Indeed, regulators globally – including in the UK, Singapore and the US – recommend software escrow as a key practical solution in mitigating such risk.”




NCC Group Press Office

NCC Group Press Office

Press contact All media enquires relating to NCC Group plc +44 7976234970
NCC Group - Financial Media Enquiries

NCC Group - Financial Media Enquiries

Press contact Maitland AMO Financial Results Media Enquiries +44 (0)20 7379 5151
Regional Press Office - North America

Regional Press Office - North America

Press contact +1 408 776 1400
Regional Press Office - Europe

Regional Press Office - Europe

Press contact +31 20 794 4737

NCC Group exists to make the world safer and more secure

In today’s threat landscape understanding the risks organisations and customers are exposed to is more important than ever.

Understanding the impact and how to be more resilient is key to protecting brand, reputation and sensitive customer information. Building a cyber-resilient organization can be a complex process but it’s not impossible.

With our knowledge, experience and global footprint, we help assess, develop and manage cyber resilience posture.

NCC Group Newsroom
XYZ Building, 2 Hardman Boulevard, Spinningfield
M3 3AQ Manchester
United Kingdom