FINMA Circular 2023/01 – Chapter IV D: Critical Data Risk Management
The recently published FINMA circular 2023/01 titled "Operational Risks and Resilience - Banks" outlines the supervisory approach for managing operational risks, including those relating to information and telecommunication technology (ICT), cyber, and critical data. Managing ICT and cyber risks has been a key focus for many institutions in recent years but focusing on the effective management of critical data will represent a shift for most enterprise risk management frameworks. To help organisations meet the new regulatory requirements, Deloitte recommends a five-step approach.
Data is the lifeblood of the financial services industry, and as it increases in volume and complexity, regulators are taking measures to prevent incidents that could have a severe impact on the industry and the broader economy. The recently released FINMA circular 2023/01 sets out guiding principles for managing operational risks and resilience in the financial services industry, and chapter IV D deals with critical data risk management. The circular is intentionally not prescriptive, which means that organisations need to interpret the principles and tailor the implementation of the regulation to their particular circumstances.
Deloitte proven five-step approach
The new regulation highlights the need for financial institutions to ensure that their management of critical data is adequate. We propose a five-step approach to meeting the heightened requirements and managing effectively the risks associated with critical data.
(Click on the individual steps to learn more)
The first step is to define critical data consistently across the business. According to FINMA, critical data is “data, that in view of the institution’s size, complexity, structure, risk profile and business model, is of such crucial significance that it requires increased security measures”. The circular makes the following points about the classification of data as critical:
- It depends on the “confidentiality, integrity, and availability” of the data.
- It is context-specific, meaning that whether data is ‘critical’ varies with the unique circumstances of each bank.
We suggest that there are four dimensions to the meaning of ‘context-specific’:
- Impact on the market: Data that has relevance and impact on a wider scale than the organisation itself.
- Impact on the bank: Data that is needed to operate essential processes or that can expose the bank to loss or damage.
- Impact on clients: Data that is needed to operate essential client services or data that is confidential.
- Regulatory impact: Data that is needed to conduct compliance operations and fulfil regulatory obligations.
The figure below summarises the main scenarios and factors to consider across these four dimensions.
Incidents that affect the confidentiality, integrity or availability of critical data with significant impact on any of these four dimensions must be reported promptly to FINMA.
Identifying critical data requires first of all a good understanding of the organisation’s data landscape. We suggest three possible approaches to identifying data, depending on the maturity level of the existing data and process management frameworks:
- Data modelling approach:
This is a top-down approach to identifying critical data, which consists of creating a cross-functional data model capturing data domains and their interactions according to a conceptual map. The data model provides a holistic overview of the data landscape and enables the identification of data elements. - Process mapping approach:
This is a bottom-up approach to identifying critical data, which consists of creating functional process maps representing workflows and tasks within business processes. The process maps allow the identification the data required to perform each task and the corresponding data elements. - Hybrid approach:
This approach consists of combining the top-down approach of data modelling and the bottom-up approach of process mapping, to obtain a more complete and accurate representation of the data landscape.
Regardless of the approach used, priority should be given to the core functions of the organisation and maintaining a focus on identifying critical. In doing so, it is important to remember that critical data is not necessarily associated with critical functions and critical processes.
Finally, the criticality of the identified data elements can be tested against the dimensions defined in Critical data definition. The figure below provides a non-exhaustive set of questions that can be asked in order to identify critical data and the reasons why it is critical.
The outcome of the identification exercise should be a list or logical structure of critical data elements, with the reasons for their criticality.
For example:
- A corporate lender may identify “total credit amount” or “internal credit rating” as critical data: Could data of low quality lead to wrong decisions taken by the bank?
- An investment firm may classify “exchange rates”, “interest rates”, “stock prices” as critical data: Could unavailability disrupt financial services that are critical for the market?
The FINMA circular states: “The critical data defined by the institution must be managed throughout its entire life-cycle.” Key questions in this context are:
- What are the phases of the data life-cycle to consider?
- Who are the key stakeholders and what systems are involved?
- How is the transition between phases managed?
This information is important for risk identification and mitigation, as it identifies the appropriate stakeholders to involve at the right time.
The data life-cycle can be segmented in various ways. The figure below shows a possible subdivision into five phases.
With each phase of the data life-cycle, potential risks relating to critical data must be assessed. These risks can be mapped against the dimensions that determine criticality, i.e.: confidentiality, integrity and availability. The matrix below maps typical risks along the data life-cycle.
The fifth and final step is the most important, given that organisations will not only be assessed on their ability to identify risks, but above all will have to demonstrate that they have taken appropriate measures to mitigate them.
It is likely that the majority of risks will already be covered by various existing measures. Nevertheless, a gap analysis should be performed to identify any risks that have not been addressed.
Mitigation measures will vary depending on the organisation and its data strategy. However, they can be summarised within generic groups, ICT/cyber measures and data management measures, as shown in the figure below.
Conclusion
Financial institutions need to prioritise effective management and protection of critical data assets, in adherence to FINMA circular 2023/01. We recommend our five-step approach, which helps organisations to define critical data, implement an identification process, establish a data lifecycle management process, pinpoint key risks, and define appropriate risk mitigation measures to safeguard critical data.
Our team has successfully supported numerous institutions in addressing the challenges that stem from data-related risks, and we would be delighted to assist your organisation in achieving compliance with this new regulation.
