FINMA requirements for ICT resources in Swiss finance industry: GRC approach and main related standards

20 Sep 2023 07:00 AM By itSMF Staff

Reading time: ~ 4 min.

direttiva sulla responsabilità da intelligenza artificiale itsmf blog

The ICT resources requirements for Swiss finance industry set by FINMA

As you probably already know, in Switzerland FINMA – Eidgenössische Finanzmarktaufsicht; autorité fédérale de surveillance des marchés financiers; autorità federale di vigilanza sui mercati finanziari – is the Financial Market Supervisory Authority.

This authority set indeed a lot of mandatory requirements for all the financial industry players and in particular today we're going to take a closer look at the FINMA Circular 2023/1.

The document has been issued in January 2023 by the authority and it is intended to substitute the previous one – the old Circular 08/21.

In the following lines, we're going to better figure out the main ICT resources requirements set by FINMA for the Swiss financial market that, we have to keep in mind that are subjected to supervision.

The Swiss finance industry ICT resources requirements set by FINMA 23/01 Circular

First of all, we would like to focus our examination on the «Chapter IV» of the aforementioned Circular 23/01 issued by FINMA, due to our GRC approach.

This fourth chapter of the document is indeed about the «Management of Operational Risks» and set in particular these six details:

✅ A. Transversal Management of Operational Risks

✅ B. ICT Risk Management

✅ C. Cyber ​​Risk Management

✅ D. Risk management of critical data

✅ E. Business continuity management (BCM)

✅ F. Management of risks relating to the provision of cross-border services

We just did a brief examination of the Chapter 4 of the FINMA Circular 23/01, but we should keep in mind too that there are other regulations that the document set.

If we take the «Chapter V», we noticed that this one relates to the need of «Ensuring operational resilience».

At this point, we can just have a big question for our compliance strategy: how to can we systematically manage the requirements of the Circular 2023/01 applicabile to the ICT resources?

How to manage the ICT requirements for Swiss finance industry set by FINMA according to the more relevant ISO standards

It is probably correct to say that a modern GRC approach – base on the main ISO standards we can put in relation with the matter – can help us on supporting the integrated management of all the requirements applicable to ICT resources, which are:

  • Information security
  • Business continuity
  • IT services.

We should now figure out which ones are the ISO standards we can rely on to manage the requirements; and these are indeed:

  • ISO 38500, for the Governance;
  • ISO 31000, for the Risk Management;
  • ISO 37301, for the Compliance Management.

We should remember also that a modern GRC approach allows indeed the adoption and of course the integration of the several reference standards (E.G. ISO standards and the NIST standards), as follows:

📘 ISO 27001 «information security standard», ISO 27110 «cybersecurity framework standard» and the NIST standard;

📘 ISO 22301 «business continuity standard»;

📘 ISO 20000-1 «IT services standard».

To better figure out the «big picture» about what we just described in these last lines, we can bring as usual our infographic.

By Andrea Leonardi (VP @ Minerva Group Service, MP @ Alpemi Consulting & itSMF Swizerland board member).
We end our brief overview on the FINMA requirements on ICT resources set by the Circular 2023/1  inviting you to stay tuned on our blog, social media channels and newsletter, to be always updated on the next news about this topic.

Don't forget to support our effort to bring you the best content quality and sharing value: follow us on our YouTube channel!


Need to know more about it?

Click on one of the options below to enter in the itSMF Enviroment and for being updated the way which is best for you.

Subscribe to itSMF Newsletter
Get the benefits of Membership Program

itSMF Staff