Boosting Cyber Resilience: DORA and FINMA Impacts

In today’s highly interconnected world, financial institutions need to ensure they can effectively manage their information and communication technology (ICT) risks in a proactive and secure way. Also, organizations must be able to recover rapidly from any disruptions and threats – ensuring strong business continuity.

Enter the Digital Operational Resilience Act (DORA), introduced by the European Commission in 2020, which set uniform requirements for managing ICT risks, reporting incidents, testing digital operational resilience and managing third party risks. This point-of-view will explore the details behind DORA and FINMA and its implications for Swiss financial institutions.

The need for operational resilience

The technological advancements and increasing cyber threats in the financial sector have underscored the critical need for operational resilience. Recently, Swiss financial institutions regulated by FINMA have been facing the additional challenge of implementing DORA requirements alongside FINMA Circular 2023/1. Although DORA is an EU regulation, it is also relevant for Swiss financial institutions. Many Swiss institutions operate across borders and are closely tied to EU financial markets.

To maintain market access, they must comply with EU standards, especially when serving EU clients or relying on EU-based service providers. These new regulations aim to enhance the operational resilience of financial entities by introducing stringent requirements for ICT risk management, incident reporting, and continuous testing. Aligning with international standards, these regulations provide Swiss financial institutions with a solid foundation to navigate today's complex financial landscape.

Operational resilience is at the core – it’s an organization's capability to anticipate, prepare for, respond to, and adapt to changes and disruptions. This includes:

• Back-up and recovery - Regular data backups and well-defined recovery procedures ensure that critical information can be restored quickly in the event of a cyberattack or system failure.
• Having redundant IT infrastructure – This includes backup servers or data centers allowing banks to switch to alternative systems with minimal downtime if the primary system is compromised.
• Business continuity - Detailed business continuity plans and robust communication strategies enable banks to respond effectively to major disruptions, such as natural disasters or cyber incidents, while keeping stakeholders informed.

For the financial sector, this means managing a range of risks such as hardware failures, software errors, power and communication interruptions, cyber-attacks and other operational disturbances that could potentially destabilize the financial system.

New requirements to face the ever-increasing cyber threat head-on

Both FINMA Circular 2023/1 and DORA were introduced in response to increasing technological advancements and growing frequency of cyber threats. Many events exposed vulnerabilities in financial institutions ICT resilience, underlining the need for stronger regulatory frameworks.

While FINMA focuses on addressing a broad range of operational risks, DORA specifically targets ICT and cyber resilience. DORA places a stronger emphasis on standardized incident reporting and stringent requirements for third-party ICT service providers, highlighting the importance of managing external dependencies. It introduces stringent requirements for monitoring and managing risks associated with third-party ICT service providers and establishes a unified incident reporting framework across the EU. Additionally, DORA mandates advanced testing protocols, such as penetration testing, to identify and mitigate vulnerabilities.

Being FINMA-regulated offers a significant advantage. Swiss financial entities are already partially compliant with DORA due to existing stringent FINMA requirements, making the transition less daunting. The comprehensive protocols for ICT risk management, incident reporting, and continuous testing introduced by DORA are more extensive but build on the robust foundation provided by FINMA.

One of the main challenges for Swiss financial institutions is ensuring alignment between DORA and existing FINMA requirements. The overlap and potential conflicts between DORA and FINMA necessitate a comprehensive mapping exercise. Financial institutions must identify areas where DORA’s requirements complement or diverge from FINMA’s guidelines to create a cohesive compliance framework. This alignment is essential to avoid redundancy and ensure that all regulatory requirements are met efficiently.

Impact of DORA on Swiss Companies

Swiss companies providing ICT services to their EU affiliates must comply with DORA standards, even for internal group services. Additionally, these institutions interacting with EU financial institutions or clients may also need to adhere to DORA standards. As financial institutions work towards meeting the January 2025 compliance deadline, they must address several data-related challenges to comply with DORA and protect against ICT disruptions.

The implementation of DORA requires substantial financial and human resources investments to realize full adoption. These areas include:

• Third-party providers - Ensure third-party service providers comply with the regulation, including precise due diligence, stringent contract requirements, and ongoing monitoring.
• Management engagement - Top management needs to be aware about the new requirements, participate in preparedness drills/simulations and enable the organization through budgets and resources.
• Organizational readiness - Appointing of roles and responsibilities, establishing reporting lines, conducting readiness assessments and implementing the needed technical and procedural measures.

Bridging the technical gaps to boost operational resilience.

Combining elements of DORA with FINMA's guidelines can significantly boost the operational resilience of Swiss financial institutions. To optimize internal time and efficiency, leverage external expertise, and obtain an independent review, it may be beneficial to enlist an expert to assist you in achieving the alignment with the technical requirements of DORA. This will ensure robust digital operational resilience and safeguard your operations.

Our team at Zurich Resilience Solutions provides technical support in key areas such as due diligence, third-party risk management, training programs, and continuous risk monitoring. To learn more, please contact us at cyber.resilience@zurich.com.