Switzerland’s FINMA Focus: Critical Data Risk Management

In the digital age, protecting critical data has become a top priority for financial institutions worldwide. Recognizing the significance of robust data risk management, the Swiss Financial Market Supervisory Authority (FINMA) issued the FINMA 2023/1 circular which details the management of operational risk regarding technologies, critical data, and cyber risks. The financial regulation will be enforced on January 1, 2024, to address data risks and the overall protection of critical data.

Section D of the circular contains specifications on how financial institutions in Switzerland should manage data risk. The circular clearly defines processes, procedures, tasks, and specific responsibilities for handling data identified as critical.

What is critical data risk management?

Critical data risk management is the process of identifying, assessing, and mitigating risks associated with sensitive and crucial data within financial institutions. It involves safeguarding data integrity, confidentiality, and availability, as well as addressing risks related to data breaches, cyber threats, and unauthorized access.

FINMA requirements for mitigating critical data risk

FINMA’s recent circular on operational risks and resilience serves as a significant milestone in strengthening the operational resilience of financial institutions in Switzerland. By outlining key provisions and requirements, FINMA aims to enhance the stability and continuity of financial services while mitigating operational risks. Financial institutions should proactively embrace the circular’s recommendations on:

• Data Discovery:
  “The institution shall identify its critical data in a systematic and comprehensive way, categorize it on the basis of its criticality and define clear responsibilities.”
• Data Lifecycle Management:
  “The critical data defined by the institution must be managed throughout its entire lifecycle.”
• Data Protection:
  “In the management of critical data, in particular, the confidentiality, integrity, and availability of the critical data must be ensured through appropriate processes, procedures, and controls.”
• Data Access:
  “Critical data must be adequately protected from being accessed and used by unauthorized persons during operations and during the development, change, and migration of ICT. This also applies to critical data in test environments.”
• Cross-Border Data Transfers:
  “If critical data is stored outside of Switzerland or if it can be accessed from abroad, increased risks associated with this must be adequately mitigated and monitored via suitable means and the data afforded particular protection.”

How BigID helps with FINMA data risk management requirements

BigID enables organizations to meet and manage FINMA data risk requirements with an automated, scalable approach to discover, classify, and protect critical information to achieve compliance. With BigID, organizations get:

• Deep Data Discovery: BigID helps organizations discover and inventory their critical data, including financial information covered by FINMA. This enables organizations to understand what data they have and where it is located, which is an important first step in achieving compliance.
• Accurate Classification: With exact value matching, BigID graph based technology can identify and classify critical data in any environment such as email, shared drives, databases, data lakes, and many more.
• Efficient Data Mapping: Automatically map PII and PI to identities, entities, and residencies to connect the dots in your data environments.
• Streamlined Data Lifecycle Management: Accurately find, classify, catalog, and tag your data and easily enforce governance & control – from retention to deletion.
• ML-based Data Access Management: For full compliance with FINMA, BigID helps mitigate risk with significant open-access requirements to remediate file access violations on critical data across all data environments.
• Validated Data Transfers: Create policies and assign Swiss residency to data and enforce data residency requirements, monitor and alert on cross-border data transfers.
• Effective Remediation: BigID helps to define the remediation action related to critical data to provide audit records with integration to ticketing systems like Jira for seamless workflows.

See how BigID helps organizations find critical data, limit or restrict access to data, and remediate risk to stay compliant with FINMA. Get a 1:1 demo with our data privacy experts.