stock market data

Do you know what data assets are critical for business operations?


Banks should prepare for the new FINMA Circular 2023/1 “Operational risks and resilience – banks”, including provisions on critical data.


In brief

  • What are the main requirements of the FINMA Circular 2023/1 “Operational risks and resilience – banks”, which enters into force on 1 January 2024?
  • What is critical data within the bank with respect to confidentiality, integrity and availability (CIA triad)?
  • How can banks identify critical data and comply with new requirements on time?


In the post-COVID world, accelerated digitalization presents a crucial challenge to the operating model of banks: operational resilience. Increased regulatory supervision and tighter regulation demand better controls for more automated and complex processes. Industry players may struggle to implement the changes needed to maintain compliance, improve operations, and meet requirements.

However, new regulations are also an exciting opportunity for banks to improve capabilities that support robust operations. The new FINMA Circular 2023/1 “Operational risks and resilience – banks”, due to enter into force on 1 June 2024, sets minimum risk management standards for the banking industry, and updates the previous circular in the following areas:



Future of Risk and Resilience

Find out more on how to ensure your organization’s resiliency capability for a fast pace and technology driven era.


stock market data

EY carried out a risk matrix analysis to grade the impact of each of the changes within the new FINMA circular. FINMA demands stricter management of critical data, thereby asking banks to assure the highest standards around confidentiality, integrity, and availability. The word “critical” dominates the wording of the circular – not only for data provisions but also those on processes. Furthermore, the identification of critical processes is a crucial activity for managing risk within the organization.

Banks are required to understand what data assets are critical for business operations in the context of confidentiality, integrity, and availability

The revised FINMA regulation will push the industry toward better data governance that addresses data integrity and availability to improve operational resilience. Banks are required to recognize what data assets are critical for business operations in the context of the CIA triad. This requires clear definitions, precise thresholds, and the right level of business awareness around critical data.

In the context of business decision-making, there are three data domains that need to be considered when identifying critical data:

We believe banks should take a structured approach to data discovery, seeking external support where necessary. Organizations may like to consider the following six steps to achieve complete critical data classification.

ey-data-resilience.png
  1. Perform critical data domain discovery within the business organization, through surveys and interviews conducted in different entities.
  2. Map critical functions within the organization and explore reporting obligations.
  3. Define the confidentiality, integrity, and availability (CIA) threshold for critical data, in alignment with business, IT, security, and data strategy. This covers data loss prevention, information security, BCM and operational resilience.
  4. Map functions, processes, and systems to data sources, required to maintain operations.
  5. Build a data catalog to define data lineage across systems.
  6. Use the CIA triad and factor rating model to categorize data assets as Critical Data Elements (CDEs).

Summary

The revised FINMA circular on operational risks and resilience requires significant change in the way banks manage their data. Institutions need to adopt and adapt their existing data strategy, BCM and operational resilience policies to protect their business-critical data. The most challenging aspect here is the increasing visibility on critical functions and classifying data criticality. A critical data discovery approach that considers legal, risk assurance and technology perspectives is an effective way to ensure compliance with new Swiss regulatory requirements


About this article

Authors

Related articles

A new Era for Data Protection in Switzerland – Are you ready?

A new Era for Data Protection in Switzerland – Are you ready?