Secure implementation of FINMA regulations
As an independent authority over the Swiss financial market, FINMA (Financial Market Authority) has regulatory authority over banks, insurance companies, stock exchanges, financial institutions, collective investment schemes, their asset managers and fund management companies, as well as insurance intermediaries.
If a company wants to manage money from clients or accept money from investors, underwrite insurance policies or set up or manage funds, it requires a license from FINMA. A license is only granted to those who meet the legal requirements.
FINMA must ensure that supervised entities comply with financial market laws, ordinances and circulars. FINMA’s ongoing supervisory activities are primarily aimed at ensuring that supervised entities
hold sufficient own funds
are sufficiently liquid
have good risk management
have an appropriate internal organization and
maintain appropriate control systems.
Particularly the last three items have a direct impact on IT security.
Complying with FINMA regulations through smart IT security solutions
Compliance rules are constantly becoming more stringent, so comprehensible and secure access procedures for the IT infrastructure are indispensable. Questions such as who has access rights to what data? When and by whom was certain data being accessed? Who created a user account in the first place? Responsible persons must therefore be able to answer these and many other questions quickly and easily. However, there are still gaps in this area, and many companies are only partially able to provide reliable answers in view of heterogeneous hardware and software structures. In this situation, the importance of Identity & Access Management (IAM) solutions is increasing.
Such solutions regulate authorizations and accesses to the entire IT infrastructure and thus provide the necessary overview. Modern IAM solutions access existing systems via interfaces and thus enable the assignment of correct and consistent access rights, for example for Active Directory, NTFS, SAP or email programs. As a central instance, seamless evaluations and reports on authorizations and user accounts in a network can be generated at the push of a button.
FINMA regulations require Identity Governance
Not many companies execute comprehensive, end-to-end identity and access governance. However, it is a basic prerequisite for maintaining a high level of IT security and defending against targeted internal and external attacks.
In a nutshell, identity governance is the combination of policy-driven identity management and adherence to compliance regulations. Specifically, this involves company-wide role and authorization assignments, the regulation of user access, and the monitoring of compliance requirements.
At present, there are various approaches to solutions in the identity governance environment: for example, identity lifecycle solutions with governance functions or pure identity management solutions. They all have different advantages and disadvantages, but they clearly show that there is currently no “one-size-fits-all” solution. A solution that offers complete risk detection and representation with the identification of all users and their rights, controls access to IT resources, and monitors and logs all business-critical activities in a compliance-compliant manner.
Privileged Access Management is mandatory
At this point, the entire complexity of the topic of identity governance becomes evident. In many large organizations, user management is a common practice, and privileged user accounts are often managed, secured and monitored. But privileged access management is a much broader topic. It also includes application or software accounts, i.e. passwords stored in applications, scripts or configuration files. They are required for direct, automatic access from applications to back-end systems, for example to databases. Since passwords are usually embedded in plain text and (almost) never changed, they represent a significant security risk. A modern PAM solution offers the possibility to eliminate these static passwords and to centrally store, manage and regularly change all application accounts.
Compliance and FINMA regulations require user and rights management
However, identity governance implies the adequate implementation of compliance requirements and the fulfillment of FINMA regulations.
The complexity of the topic of identity governance and FINMA compliance shows one thing very clearly: companies should use the services of an external service provider to find secure and cost-effective solutions to meet all requirements. Otherwise, companies will quickly reach their capacity limits when it comes to identifying personal data or determining user rights, for example – or when implementing identity governance projects in general.
Security services are therefore another option in addition to on-premise solutions. There is an urgent need for action, especially with regard to FINMA regulations; after all, no one is immune to incidents.
Our profound know-how form the basis of our comprehensive portfolio of Consulting Services.