This analysis delves into FINMA Circular 2023/1 and DORA (Digital Operational Resilience Act), examining them from the standpoint of a Swiss financial entity actively implementing measures to align with the Circular.
The objective is to identify remaining compliance gaps with DORA, a significant EU law outlining security requirements for network and information systems in the financial sector and critical third-party ICT service providers.
Key areas shared by both regulations include general protection measures, detection and monitoring, incident management, business continuity and disaster recovery, operational resilience, third-party risk management, and specific regulations for smaller financial entities.
General protection measures in both frameworks stress the importance of securing data during transmission or storage and preventing unauthorized access, modification, or destruction.
DORA introduces additional requirements, such as implementing strong authentication mechanisms, deploying cryptographic keys for sensitive information, and regular application of software and system patches and updates.
Detection and monitoring obligations in DORA necessitate establishing multi-layered control mechanisms, regular testing of detection processes, and dedicating ample resources to monitor user activity, ICT anomalies, and incidents, especially those related to cyber threats.
Incident management requirements encompass maintaining a crisis management plan, regularly testing it, and keeping accessible records of activities before and during disruptive events. Post-incident reviews are mandated to assess the effectiveness of the incident response plan, with a focus on promptness, forensic analysis, incident escalation, and communication, among other factors.
Business continuity and disaster recovery obligations involve having a regularly reviewed and tested Business Continuity Plan (BCP).
DORA additionally stipulates the maintenance of redundant ICT capacities to ensure business needs can be met in case of a disruption.
Operational resilience mandates annual tests on all ICT systems supporting critical functions according to DORA. Furthermore, specific requirements are outlined for central securities depositories and central counterparties, including vulnerability assessments before deploying new applications or infrastructure components.
In the realm of third-party risk management, DORA specifies contractual provisions related to termination rights, service level descriptions, and subcontractor requirements.
Both sets of regulations provide flexibility for smaller financial entities. FINMA Circular 2023/1 offers exceptions for certain banks and securities firms, while DORA exempts specific organizations but imposes a simplified ICT risk management framework on them.
In conclusion, while FINMA Circular 2023/1 takes a high-level approach, DORA provides detailed specifications.
Entities compliant with the Circular may have addressed most DORA aspects, but a thorough review is necessary to ensure full compliance.
Do you want to find out more?
Contact KP Genève and benefit from our expertise and network
