Operational resilience is rapidly gaining in both national and international importance following the EU’s response to the increasing threat situation with stricter cyber security requirements, such as the FINMA Circular, Cyber Resilience Act and NIS2 to name a few. And rightly so – those stricter requirements not only affect regulated sectors or operators of critical infrastructures (KRITIS), but DORA is aimed at a broad spectrum of organisations from the financial and ICT sectors. But what does “Operational resilience” actually mean for your company? And what guidelines need to be observed as you implement measures? Questions about questions, which we will answer in this article, along with providing practical recommendations for implementation in your company.
Operational resilience is no longer limited to the financial sector. As we recently pointed out in a blog article on the NIS2 directive, many companies operating in the European Union (EU) will be subject to significantly stricter mandatory measures (from October 2024), not least in the area of operational resilience.
Then there’s the mandatory Cyber Resilience Act (CRA), with requirements for products with digital elements that are placed on the market in the EU. We can assume that similar requirements will follow in Switzerland in the future.
Looking at the development of operational resilience in recent years, it becomes clear that this is by no means a new topic – in fact, quite the opposite. Operational resilience against operational disruptions such as a cyber attacks can be of existential importance. In the UK, for example, regular attack simulations in the financial sector (known as CBEST) have been carried out since 2014. The results of these have placed the topic of resilience centre stage for the relevant supervisory authorities, which have issued guidelines accordingly.
Operational resilience as a competitive advantage
An organisation’s operational resilience has a significant impact on the trust of existing and potential new customers. A company’s reputation will suffer if outages result in a loss of business, take a long time to rectify or occur more frequently. Customers will trust the company less and may favour the competition.
What is operational resilience?
Operational resilience is the ability of companies to prevent, adapt and respond to as well as recover and learn from operational disruptions.
In other words, and in a little more detail:
| “Operational resilience is an organisation’s ability to withstand, adapt to and recover from adverse disruptions such as cyber attacks, natural disasters, supply chain problems or technical faults. It’s about being prepared for the unexpected – from power outages to pandemics to cyber attacks – and ensuring that the company can continue to function even in the face of such challenges.” |
For companies, then, it’s a question of taking a holistic view of all activities and measures needed to minimise the impact of operational disruptions (not just BCM scenarios). Consequently, business operations are barely impaired, if at all, in an ideal case.
As there’s no explicit definition of the term in the EU NIS2 Directive already mentioned, companies should use a generally applicable definition (such as the one set out above) as the basis for implementing measures to achieve compliance with the Directive.
How do you achieve operational resilience?
Operational resilience can be achieved with a structured approach. Having already addressed aspects of cyber security, and not least business continuity management (BCM), is beneficial. This means you’ve already laid the foundations and made some initial assessments. Below we set out a possible procedure that you can apply in your company:
- Identify customers: Who are your most important customers and what are their needs?
- Identify products and services: What are the most important products and services for your customers?
- Identify the processes: What are the most important processes, what resources do these processes require, what dependencies do these processes have?
- Identify systems and data: What are the most important digital systems, infrastructures and data that support the processes?
- Identify the service providers involved: Are any service providers involved in the value chain of the products and services?
- Identify threats and risks: Which threats (scenarios) could have a negative impact on the processes and systems? What (inherent) risks are there?
- Carry out tests: Carry out regular tests to detect the identified threats (scenarios) and risks, recognise potential vulnerabilities and sources of error, and practise the response to incidents.
- Optimise continuously: Ensure that you analyse incidents and errors and gain insights to enable continuous and long-term improvement of processes and systems.
- Measure processes and system: Introduce metrics to measure processes and systems or monitor for deviations from normal status to recognise potential issues at an early stage.
What legal requirements for operational resilience need to be observed?
You should check which legal requirements need to be observed (multinational organisations need to do so for each country). If anything is unclear, this should be cleared up with (local) experts. Below we have listed some of the most important legal requirements for companies operating in Switzerland and/or the EU.
The following legal requirements currently apply in Switzerland:
- FINMA Circular 2023/1 “Operational risks and resilience – banks”
- Amended Electricity Supply Ordinance (StromVV)
- ICT minimum standards (critical infrastructures)
- Resilience in the supply and service chains
The following legal requirements may also be relevant for companies operating in the EU:
- Network and Information Security Directive 2 (NIS2)
- Digital Operational Resilience Act (DORA) (“lex specialis” for the financial sector)
- Cyber Resilience Act (CRA)
Operational resilience in the financial sector
The financial sector is heavily regulated and has been quick to address the issue of operational resilience. The supervisory authorities expect financial organisations to be able to provide their customers with key services and withstand disruptions at all times.
In FINMA Circular 2023/1, the Swiss Financial Market Supervisory Authority defines “Operational risks and resilience – banks” as follows:
|
“Operational resilience refers to the institution’s ability to restore its critical functions in case of a disruption within the tolerance for disruption. That is to say, the institution’s ability to identify threats and possible failures, to protect itself from them and to respond to them, to restore normal business operations in the event of disruptions and to learn from them, so as to minimise the impact of disruptions on the provision of critical functions. An operationally resilient institution has designed its operating model in such a way that it is less exposed to the risk of disruptions in relation to its critical functions. Operational resilience thus reduces not only the residual risks of disruptions, but also the inherent risk of disruptions occurring. Effective operational risk management helps strengthen the institution’s operational resilience.” |
DORA and FINMA Circular: avoid non-conformity through comprehensive knowledge
The Digital Operational Resilience Act (DORA) applies to financial entities that offer their services in the European Union. DORA aims to create a harmonised approach to mitigating ICT-related incidents and ensuring that the sector can remain resilient in the event of a major disruption.
The DORA Regulation is a “lex specialis” for the financial sector and, as a special law, takes precedence over the NIS2 Directive as a general law.
The following definition can be found in DORA:
|
“Digital operational resilience means the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions.” |
Below is a brief (unofficial) comparison of selected elements of FINMA Circular 2023/1 with the DORA Regulation:
|
FINMA Circular 2023/1
|
DORA Regulation
|
|
|
Scope
|
Switzerland
|
European Union
|
|
Target groups
|
Applies to all types of financial institution that fall within FINMA’s remit, including banks, insurance companies and securities dealers. |
Applies to the entire EU financial sector, including banks, insurance companies, investment firms and critical third-party ICT providers. |
|
Scope
|
Comprehensive management of operational risks including management of ICT risks, cyber risks, business continuity management (BMC) and operational resilience. |
Operational resilience. |
|
Governance
|
Structures and roles for the holistic management of operational risks. |
Focus of governance on the management of ICT risks, responsibility at management board level. |
|
Incident management
|
Procedures for recognising, reporting and managing incidents, including emergency plans. |
Standardised reporting procedures for incidents and requirements for performing tests. |
|
Risk management
|
Comprehensive approach to the management of operational risks. |
Focus on the management of ICT risks and continuous monitoring. |
|
Third-party risks
|
Due diligence and monitoring of the third-party business relationship. |
Detailed requirements for managing third-party risks, including specifications for contractual obligations and continuous monitoring. |
|
Carrying out tests
|
Regular security tests and vulnerability assessments. |
Comprehensive resilience tests, including penetration and scenario-based tests. |
Both the FINMA Circular 2023/1 and the DORA Regulation aim to increase the operational resilience of the financial sector, albeit with different focuses and scopes. The FINMA Circular provides a comprehensive approach to managing operational risks, which includes ensuring adequate cyber security, for the Swiss financial sector.
The DORA Regulation focuses specifically on the digital operational resilience of the EU financial sector with detailed requirements for ICT risk management and third-party supervision. Financial institutions that take both sets of rules into account must adapt their risk management practices to fulfil both regulations. They must guarantee robust operational resilience. The similarities and overlaps between the two sets of regulations illustrate the trend towards improving operational resilience and managing ICT risks in the financial sector.
The FINMA Circular 2023/1 came into force on 1 January 2024. All of the requirements specified within it must be met by 31 December 2025. The DORA Regulation will be applicable in all EU countries as soon as it takes effect, scheduled for 17 January 2025.
Companies that are subject to the regulations of the financial sector are well advised to familiarise themselves comprehensively with the requirements of the FINMA Circular and the DORA Ordinance in order to avoid non-compliance.
Determine the maturity level of your operational resilience
Act now to see whether your company is well-positioned to ensure operational resilience and what still needs to be done. Our gap assessment gives you an overview of how your IT security strategy may deviate from the minimum requirements.
But that’s not all: our specialists will also provide you with specific technical, organisational and personnel-relevant recommendations and suggestions about which measures to implement immediately.
Contact us and gain clarity about your organisation's operational resilience. Benefit from a gap assessment conducted by our experts and start implementing the necessary measures with confidence.
Implementation of concrete safety measures?
At a time when digital technologies are evolving rapidly, an IT environment that deploys a holistic approach to security is the foundation for every organisation. Our security experts will be happy to help you, be it with our risk management & compliance services or with the 24/7 cyber defence & incident response services from our ISO 27001-certified Cyber Defence Center in Switzerland.
