← Frameworks / Regulatory

FINMA Circular 2023/1 Operational Risk and Resilience — Banks

Swiss financial market supervisory authority circular covering technology infrastructure, cyber risk, critical data management, business continuity management, and outsourcing for banks and securities dealers. References use chapter and margin number format — e.g. IV.C(65) for cyber risk management margin 65 — across 114 margin numbers in 7 sections.

Clauses: 84

Avg Coverage: 77.2%

Publisher: Swiss Financial Market Supervisory Authority (FINMA) Version: 2023/1

FINMA Circular 2023/1 → SP 800-53 SP 800-53 → FINMA Circular 2023/1 Coverage Analysis

Clause	Title	SP 800-53 Controls
IV.A(23)	ICT governance framework and policies	AC-01 AT-01 AU-01 CA-01 CA-06 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PL-01 PL-02 PL-03 PL-06 PS-01 RA-01 SA-01 SA-02 SC-01 SI-01 SR-01 PL-09 PL-10 PL-11
IV.A(24)	ICT strategy alignment with business strategy	AC-01 CA-01 CA-06 PL-01 PL-02 PL-06 SA-02 PL-09
IV.A(25)	ICT strategy documentation and updates	PL-02 PL-03 SA-02 PL-10 PL-11
IV.A(28)	ICT infrastructure management and operations	AU-04 AU-08 CM-01 CM-02 CM-06 CM-07 CM-08 CP-08 MA-01 MA-02 MA-03 MA-04 MA-05 MA-06 PE-01 PE-09 PE-11 PE-14 PE-18 SA-03 SA-05 SA-06 SA-08 SC-06 SC-20 SC-21 SC-22 MA-07 PE-21 PE-22 PE-23 CM-12 SI-13
IV.A(29)	ICT capacity and performance management	AU-04 CM-02 CM-06 CM-08 MA-02 MA-03 MA-06 SA-08 SC-06 SI-13
IV.A(30)	ICT asset inventory	CM-02 CM-08 CM-12 CM-13
IV.A(31)	ICT architecture documentation	CM-02 CM-12 CM-13 PL-09
IV.A(36)	ICT change management framework	CM-01 CM-03 CM-04 CM-05 MA-01 MA-02 SA-01 SA-03 SA-05 SA-06 SA-07 SA-10 SA-11 SI-02 CM-14
IV.A(37)	Change control process and testing	CM-03 CM-04 CM-05 SA-03 SA-10 SA-11 CM-14
IV.A(38)	Change impact analysis	CM-03 CM-04 SA-10 RA-07
IV.A(39)	Change approval and documentation	CM-03 SA-10 CM-14
IV.A(40)	Emergency change procedures	CM-03 RA-07
IV.A(41)	Incident management framework	AU-05 IR-01 IR-02 IR-03 IR-04 IR-05 IR-07 SI-11 IR-09
IV.A(42)	Incident classification and prioritisation	IR-02 IR-04 RA-07 RA-09
IV.A(43)	Incident response and escalation	IR-04 IR-09
IV.A(44)	Incident monitoring and tracking	IR-05 IR-06
IV.A(45)	Incident reporting to FINMA	IR-06 IR-09
IV.A(46)	Incident notification to affected parties	IR-06 IR-09
IV.B.a(47)	Incident lessons learned	IR-06 AT-06
IV.B.a(48)	ICT personnel and security awareness framework	AT-01 AT-02 AT-03 AT-04 AT-05 PL-01 PL-02 PL-04 PL-06 PS-01 PS-02 PS-03 PS-06 PS-08 RA-01 AT-06 PS-09
IV.B.a(49)	ICT security training programme	AT-01 AT-02 AT-03 AT-04 PL-04 AT-06
IV.B.b(50)	Security awareness for all staff	AT-02 AT-03 AT-06
IV.B.b(51)	Ongoing security awareness updates	AT-02 AT-06
IV.B.b(52)	Threat intelligence and information sharing	AT-05 SI-05 RA-07
IV.B.c(53)	External threat intelligence sources	AT-05 SI-05 RA-07
IV.B.c(54)	ICT risk assessment framework	CA-05 CM-08 PS-02 RA-01 RA-02 RA-03 RA-04 RA-05 RA-06 RA-07 RA-08 RA-09
IV.B.c(55)	ICT risk identification and analysis	CA-05 CM-08 RA-02 RA-03 RA-04 RA-07 RA-09
IV.B.c(56)	Vulnerability management	RA-03 RA-05 SI-02 SI-05 RA-06 RA-07
IV.B.c(57)	Vulnerability scanning and assessment	RA-03 RA-05 RA-06
IV.B.d(58)	Risk assessment documentation and review	RA-03 RA-07 RA-09
IV.B.d(59)	Access control and security controls framework	AC-01 AC-02 AC-03 AC-04 AC-05 AC-06 AC-07 AC-08 AC-09 AC-10 AC-11 AC-12 AC-13 AC-14 AC-17 AC-18 AC-19 AC-20 AU-09 CM-05 IA-01 IA-02 IA-03 IA-04 IA-05 IA-06 IA-07 MA-04 MP-02 PE-02 PE-03 PS-04 PS-05 PS-06 SA-08 SC-01 SC-05 SC-07 SC-10 SC-11 SC-14 SC-15 SC-18 SC-23 SI-01 SI-02 SI-03 SI-07 SI-08 CA-09 SC-24 SC-46 SC-48
IV.B.d(60)	Identity and access management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-13 IA-01 IA-02 IA-04 IA-05 PS-04 PS-05 PS-09 CA-09
IV.C(61)	Authentication and session management	AC-02 AC-03 AC-06 AC-07 AC-10 AC-11 AC-12 IA-02 IA-05 SC-10 SC-24
IV.C(62)	Network security and segmentation	AC-04 AC-17 AC-18 CA-03 IA-03 MA-04 PE-04 SC-02 SC-03 SC-05 SC-07 SC-14 SC-15 SC-19 SC-20 SC-21 SC-22 CA-09 SC-46 SC-47 SC-48
IV.C(63)	Cryptography and data protection in transit	AC-04 AC-17 IA-07 MP-05 PE-19 SC-02 SC-03 SC-07 SC-08 SC-09 SC-11 SC-12 SC-13 SC-16 SC-17 SC-19 SC-23 SC-37 SC-40
IV.C(64)	Endpoint and software security	AC-19 CM-06 CM-07 SA-07 SC-12 SC-13 SC-17 SC-18 SI-02 SI-03 SI-07 SI-08 CM-14 SC-34 SC-44 SI-16
IV.C(65)	Malware protection	CM-07 SC-05 SI-03 SC-44 SI-16
IV.C(66)	Logging and monitoring framework	AU-01 AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-10 AU-11 CA-07 CM-04 IR-05 PE-06 PE-08 SI-01 SI-04 SI-11 SC-48
IV.C(67)	Security event logging	AU-01 AU-02 AU-03 AU-05 AU-06 AU-07 AU-09 AU-10 CA-07 IR-05 SI-04 SC-48
IV.C(68)	Log analysis and correlation	AU-02 AU-06 CA-07 SI-04 SC-48
IV.C(69)	Automated monitoring and alerting	AU-06 SI-04 SC-48
IV.C(70)	Cyber incident response framework	CP-10 IR-01 IR-02 IR-04 IR-07 IR-09 SC-24
IV.D(71)	Cyber incident containment and recovery	CP-10 IR-02 IR-04 IR-07 IR-09 SC-24 SI-14
IV.D(72)	Cyber incident eradication	CP-10 IR-04 SI-14 SC-34
IV.D(73)	Cyber incident reporting to FINMA	IR-06 IR-09
IV.D(74)	Cyber incident notification to clients	IR-06 IR-09
IV.D(75)	Security testing framework	CA-01 CA-02 CA-04 CA-05 CA-06 CA-07 IR-03 RA-05 SA-11 SI-06 CA-09 RA-06
IV.D(76)	Penetration testing and vulnerability assessment	CA-02 CA-04 CA-07 IR-03 RA-05 SA-11 SI-06 CA-09 RA-06
IV.D(77)	Independent security testing	CA-02 IR-03 CA-09
IV.D(78)	Data classification and protection framework	AC-15 AC-16 MP-01 MP-02 MP-03 MP-04 MP-05 MP-06 PE-19 PL-05 PT-01 PT-02 PT-03 PT-04 PT-05 PT-06 PT-07 RA-02 SC-01 SC-04 SC-08 SC-09 SI-07 SI-09 SI-10 SI-12 CM-12 CM-13 MP-08 RA-08 SC-42
IV.D(79)	Data classification scheme	AC-15 AC-16 MP-01 MP-03 PL-05 PT-01 PT-02 PT-03 PT-07 CM-12 CM-13 MP-08
IV.D(80)	Data handling and processing controls	AC-16 MP-02 MP-03 PT-03 PT-07 SI-09 SI-10 CM-13 SI-20
IV.D(81)	Data protection in storage and transit	MP-04 MP-05 PE-18 SC-08 SC-09 SC-25 SC-38
IV.D(82)	Data retention and archiving	AU-11 CP-09 MP-04 PT-06 SI-12 MP-08
IV.E(83)	Secure data disposal	AU-11 MP-06 SC-04 SI-12 SR-12 MP-08
IV.E(84)	Data quality and accuracy	MP-06 SI-10 SI-18 SI-21
IV.E(87)	ICT business continuity management framework	CP-01 CP-02 CP-05 SC-24
IV.E(88)	Business impact analysis for ICT	CP-01 CP-02 RA-09
IV.E(89)	ICT recovery capabilities	CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 MA-06 PE-09 PE-10 PE-11 PE-12 PE-13 PE-14 PE-15 PE-17 PE-21 PE-23 SC-24 SI-13
IV.E(90)	ICT disaster recovery planning	CP-02 CP-06 CP-07 CP-08 CP-09 CP-10 PE-17 SC-24 SC-47
IV.E(91)	Recovery site and backup requirements	CP-02 CP-06 CP-07 CP-09 PE-23
IV.E(92)	Business continuity training	CP-03 AT-06
IV.E(93)	Business continuity awareness	CP-03 AT-06
IV.E(94)	Business continuity testing framework	CP-04 RA-09
IV.E(95)	Disaster recovery testing	CP-04 RA-09
IV.E(96)	Business continuity testing scenarios	CP-04 RA-09
IV.F(97)	Business continuity test results and improvements	CP-04 AT-06
IV.F(98)	Business continuity plan maintenance	CP-05
IV.F(99)	Business continuity plan distribution	CP-05
IV.F(100)	Outsourcing governance framework	AC-20 CA-03 MA-05 PS-03 PS-07 SA-01 SA-04 SA-09 SR-01 SR-02 SR-05 SA-21 SA-23
V(101)	Outsourcing risk assessment	AC-20 CA-03 MA-05 PS-07 SA-04 SA-09 SR-01 SR-02 SR-05 RA-07 RA-09 SA-21
V(102)	Outsourcing contractual requirements	PS-07 SA-04 SA-09 SR-02 SA-23
V(103)	Outsourcing due diligence	SA-04 SA-09 SR-02 SA-21 SA-23
V(104)	Outsourcing ongoing monitoring	SA-09 SR-03 CA-09
V(105)	Sub-outsourcing controls	SR-03
V(106)	Sub-outsourcing notification and approval	SR-03
V(107)	Sub-outsourcing risk management	SR-03 RA-07
V(108)	Sub-outsourcing audit rights	SR-03
V(109)	Supply chain provenance	SR-04 CM-14
V(110)	Supply chain provenance verification	SR-04 CM-14
V(111)	Acquisition strategy for ICT services	SR-05 SA-20
VI(112)	Acquisition methods and tools	SR-05 SA-20
VII.A(113)	Supplier assessment and review	SR-06 SR-10 SA-21
VII.B(114)	Supplier assessment frequency	SR-06 SR-10