FINMA Circular — Operational Risks (Switzerland)

A Swiss private bank relies on a single cloud provider for securities settlement. The function “securities settlement” is classified as critical, yet no tolerance for disruption is set out anywhere in writing — and there is no documented recovery path for a provider outage. On a FINMA on-site inspection the supervisor will ask exactly these points, in this order, with the burden of proof on the institution. An institution that has not worked through the resilience requirements in detail risks conditions, supervisory measures or, in extreme cases, a business prohibition.

The FINMA Circular 2023/1 “Operational risks and resilience — banks” (in force since 1 January 2024, with transition periods for the resilience requirements until the start of 2026) has reset Swiss supervision in the field of operational risks. As an administrative ordinance it is not a formal law, yet for supervised institutions it has binding effect — comparable with BAIT/MaRisk in Germany.

Who is affected?

All banks and securities firms with a FINMA authorisation in Switzerland. The set of addressees is clear, while the duties differ by size and risk profile:

Banks under the Banking Act — universal banks, private banks, cantonal banks, Raiffeisen banks.
Securities firms under the Financial Institutions Act — the former securities dealers.
Systemically important banks — stricter requirements, especially in the area of third-party risks and resilience.
Branches of foreign banks in Switzerland — adapted application within supervisory law.
Insurers — analogous requirements via Circular 2017/02 on corporate governance at insurers and via ongoing supervisory practice.

The requirements are scaled proportionally via FINMA’s supervisory category model (1 = systemically important to 5 = very small). Smaller institutions in categories 4 and 5 receive reliefs, while the core duties on cyber and third-party risks remain.

What does the law require?

The circular structures the requirements into four chapters — governance, specific topics (especially cyber and ICT), operational resilience, final provisions. Relevant for information security:

Governance (margin nos. 4-34) — risk management framework for operational risks, responsibility of the board of directors and executive management, three lines of defence (3LoD), capital backing.
ICT risk management (margin nos. 35-60) — IT strategy, IT governance, inventory, change management, data integrity, backup and recovery.
Cyber risk management (margin nos. 61-82) — cyber strategy, threat analysis, protection, detection, response, recovery, testing (including red teaming at large institutions), reporting duty for severe cyberattacks.
Critical data (margin nos. 83-95) — identification, classification, protection and location; stricter requirements for cross-border processing.
Business continuity (margin nos. 96-119) — BCM concept, business impact analysis, recovery plans, tests, crisis management.
Operational resilience (margin nos. 120-139) — identification of critical functions, tolerances for disruption, mapping of supporting resources (including third parties), scenario analyses, continuous improvement.
Third-party risks — lifecycle management of outsourcing and critical service providers; the separate Circular 2018/3 “Outsourcing” remains applicable and is complemented by 2023/1.

Incident reporting goes via the FINMA portal in line with Art. 29(2) FINMASA and Supervisory Communication 05/2020 on the reporting of cyberattacks.

In practice

Identify critical functions cleanly — and nothing beyond. A list of 80 “critical functions” misses the point. Proven in practice: 5 to 15 genuinely business-critical functions with clearly formulated tolerances for disruption (recovery time, recovery point, acceptable data loss). These tolerances are adopted by the board of directors and reviewed at least once a year.

Manage third-party risks across the lifecycle. Onboarding, ongoing monitoring, concentration analysis, exit strategy — all four phases need documented processes. Cloud providers with processing outside Switzerland require particular attention, because FINMA expects a localisation rationale for critical data (margin nos. 88 et seq.).

Scenario analyses beyond the ransomware standard. FINMA expects realistic scenarios that affect several resources at once (e.g. a staff outage plus an IT outage) and that test the tolerance thresholds. Tabletop exercises with the board of directors are an established format. The results feed into the improvement of the resilience concept.

Mapping to ISO 27001

The FINMA circular overlaps substantially in structure with ISO 27001, ISO 22301 (BCM) and ISO 27005 (risk management). An institution running a certified ISMS and BCMS covers a significant share of the requirements technically — the FINMA-specific resilience view and the reporting channels remain to be satisfied separately.

Directly relevant controls:

A.5.7 — Threat intelligence: basis for the cyber risk analysis.
A.5.19 — Information security in supplier relationships: third-party lifecycle.
A.5.20 — Addressing information security within supplier agreements: contractual minimum content.
A.5.21 — Managing information security in the ICT supply chain: transparency on sub-providers.
A.5.22 — Monitoring, review and change management of supplier services: ongoing oversight.
A.5.23 — Information security for use of cloud services: cloud-specific requirements.
A.5.24 — Information security incident management planning and preparation: prerequisite for the FINMA reporting duty.
A.5.25 — Assessment and decision on information security events: classification of severe cyberattacks.
A.5.29 — Information security during disruption: operational resilience in a crisis.
A.5.30 — ICT readiness for business continuity: central link to the resilience duty from Chapter III.
A.5.36 — Compliance with policies, rules and standards for information security: compliance check against the circular.
A.8.6 — Capacity management: prerequisite for stable ICT services.
A.8.8 — Management of technical vulnerabilities: vulnerability management as cyber protection.
A.8.14 — Redundancy of information processing facilities: technical resilience.
A.8.15 — Logging: evidence for incident reporting.
A.8.16 — Monitoring activities: early detection of cyberattacks.

Typical audit findings

Tolerances for disruption missing or not adopted by the board of directors — the resilience requirement is implemented formally, without supervisory anchoring.
Mapping of critical functions to resources incomplete — staff, IT applications, data, premises and third parties are not consistently linked to critical functions.
Third-party lifecycle incomplete — onboarding review is in place, while ongoing monitoring and exit strategy are not operationalised.
Cyber testing too narrow — the annual penetration test covers only selected applications; a threat-led test (comparable to TIBER/TLPT) is missing at larger institutions.
Cloud localisation not justified — critical data lie in US regions without the institution addressing the access risks.
Incident report late — the FINMA deadline for severe cyberattacks (24-hour early warning, 72-hour detailed report) is missed because the internal escalation path is not trained.

Sources

FINMA — Circulars — overview of all circulars in force
FINMA Circular 2023/1 “Operational risks and resilience — banks” — full text and explanatory report
FINMA Circular 2018/3 “Outsourcing — banks and insurers” — complementary rules on outsourcing steering
FINMA Supervisory Communication 05/2020 — Reporting duty for cyberattacks — rules on incident reporting
FINMASA — Financial Market Supervision Act — legal basis of FINMA supervision
Art. 29 FINMASA — information and reporting duty of supervised institutions

ISO 27001 Controls Covered

A.5.7 Threat intelligence A.5.19 Information security in supplier relationships A.5.20 Addressing information security within supplier agreements A.5.21 Managing information security in the ICT supply chain A.5.22 Monitoring, review and change management of supplier services A.5.23 Information security for use of cloud services A.5.24 Information security incident management planning and preparation A.5.25 Assessment and decision on information security events A.5.29 Information security during disruption A.5.30 ICT readiness for business continuity A.5.36 Compliance with policies, rules and standards for information security A.8.6 Capacity management A.8.8 Management of technical vulnerabilities A.8.14 Redundancy of information processing facilities A.8.15 Logging A.8.16 Monitoring activities

Frequently asked questions

Who falls under FINMA Circular 2023/1?

Banks, securities firms and insurers with a FINMA authorisation. The circular replaces the old Circular 2008/21 on operational risks in banks and extends the range of addressees to insurers and to the explicit pillar of operational resilience. For the individual duties, an institution-specific proportionality approach applies by supervisory categories (1-5).

What does operational resilience mean in the FINMA sense?

The ability of an institution to maintain critical functions under severe disruption or to restore them promptly -- within pre-defined tolerances for disruption. The requirements cover identification of critical functions, setting of recovery tolerances, scenario analyses, test and improvement cycles, and management of material third parties. This is the central new block compared with the predecessor version.

How does the circular relate to DORA?

There is strong substantive overlap -- both frameworks address operational resilience, ICT risk management, incident reporting and third parties. FINMA calibrated the circular deliberately so that consistent implementation with DORA remains possible; some concretisations (e.g. on cloud providers and critical third parties) differ. Swiss institutions with an EU group subsidiary should plan DORA and Circular 2023/1 together.