Business continuity management (BCM) for insurance companies in Switzerland minimum standards and recommendations

Transcription

1 Business continuity management (BCM) for insurance companies in Switzerland minimum standards and recommendations June 2015

2 2 Publication details Recipients: All insurance companies supervised by Finma Publisher: Schweizerischer Versicherungsverband SVV Swiss Insurance Association SIA Conrad-Ferdinand-Meyer-Strasse 14 P.O. Box CH-8022 Zurich Tel Fax Competent body: Finance & Regulation Committee Contact person: Alex Schönenberger Finance & Regulation Unit Schweizerischer Versicherungsverband SVV Swiss Insurance Association SIA P.O. Box, CH-8022 Zurich Address for orders: 2015 Swiss Insurance Association SIA Last update: June 2015 ASA SVV BCM for insurance companies in Switzerland June 2015

3 Contents Starting point Objectives and responsibilities Basis Scope of application Minimum standards 6 1. Business impact analysis 6 2. Business continuity strategy 6 3. Business continuity measures 6 4. Exercises and tests 7 5. Operability and management Recommendations 8 Business continuity management specifications 8 External services 8 Crisis management 8 Crisis communication 9 Reviewing the business continuity management plans 9 Exercises and tests 9 Reporting Entry into force References Glossary BCM for insurance companies in Switzerland June 2015 ASA SVV

4 4 Starting point Extraordinary events and situations may have a significant negative impact on the business activity of any insurance company. Appropriate measures must be taken to deal with such events and safeguard critical business processes in order to maintain the viability of the company and ensure that its operations can continue. This is known as business continuity management (BCM). This document is addressed to all insurance companies supervised by the Swiss Financial Market Supervisory Authority (Finma) and contains minimum standards and recommendations for drawing up a company-specific business continuity management plan. The particular characteristics of the individual company especially its size, complexity and risk profile must be taken into consideration when preparing such a plan. Insurance companies in Switzerland fall within the scope of this document. The minimum standards and recommendations are not intended to impinge on the relationship between the company and its customers under civil law. Objectives and responsibilities The objective of business continuity management is to maintain the viability of the company and ensure that its business operations can be safeguarded and continued if extraordinary incidents and situations should occur. This covers all events that could jeopardise the business activity of the company, including: Technical or human error; Cyber attacks; Pandemics; Natural catastrophes; Terrorism. The Board of Directors is responsible for ensuring business continuity. It may delegate this task to the executive management or other functions. The minimum standards define the minimum requirements for insurance companies in Switzerland. The recommendations are intended to assist companies with formulating a comprehensive business continuity management plan. Business continuity management aims to minimise the financial, legal and reputational repercussions of such events and situations. ASA SVV BCM for insurance companies in Switzerland June 2015

5 5 Basis These minimum standards and recommendations are based on various recognised standards (see references in the Annex). In particular, they follow International Standard ISO 22313: «Societal Security Business Continuity Management Systems Guidance». According to the ISO standard, an integrated business continuity management system includes the elements shown in the diagram below. The elements of business continuity management 1. Business impact analysis 4. Exercises and tests 5. Operability and management 2. Business continuity strategy 3. Business continuity measures Scope of application Business continuity management should be understood as applying to the entire company. Its purpose is to ensure that critical business processes can be maintained, carried on in a timely manner or restored within a prescribed period during and after momentous, drastic, extraordinary events, whether internal or external. Companies need to consider all the relevant risks and threats that could potentially result in exceptional situations for them. This means situations that cannot be dealt with using ordinary management methods and decision-making powers, and that may jeopardise the business continuity of the company. Business continuity management expressly excludes dealing with faults that do not significantly or sustainably affect operations. When drawing up a business continuity management plan, the main emphasis is on the consequences (effects of the residual risks going forward) rather than the causes of exceptional situations. In order to restore critical business processes and business activities after an interruption, provision should be made for various business continuity options relating to the following business-critical resources: human resources, facilities (e.g. buildings / workplace infrastructure / energy supply), technical equipment / telecommunications / information technology (data / systems) and external service providers. In particular, business continuity management should enable legal, regulatory, contractual and internal requirements to be met in the best possible way in exceptional circumstances. BCM for insurance companies in Switzerland June 2015 ASA SVV

6 6 Minimum standards The business continuity management plan of an insurance company must include the following contents to meet the minimum supervisory requirements, and regular compliance checks must be made by the internal audit department or a relevant independent body. The contents of the plan must be customised to the requirements of the particular company in terms of scope and degree of detail. 1. Business impact analysis The business impact analysis must identify and determine time-critical and important business processes and the resources they require. The impact on these time-critical business processes of a complete or partial loss of the required resources must be assessed and used as a basis for the necessary transitional and recovery measures. In particular, the analysis considers the consequences for business (operations), finances, reputation and compliance. The analysis must also consider the relevant dependencies between the business processes (process dependencies). The business impact analysis must be carried out every three years and should be revised when necessary (e.g. when new business lines or new technologies are introduced). 2. Business continuity strategy The business continuity strategy defines the maximum tolerable downtimes; uses the business impact analysis to specify the business areas covered by the business continuity management plan; establishes the basic approaches to finding solutions (possible courses of action) in the event of an incident; specifies the scope of the business continuity measures for the following areas: human resources, facilities, technical / telecommunications / information technology and external service providers. Accepting the impact of exceptional circumstances without making use of ready-prepared transitional and recovery measures may also be an option. This choice should be documented accordingly in the business continuity strategy. 3. Business continuity measures On the basis of the business impact analysis and within the framework of the requirements set forth in the business continuity strategy, the business continuity measures describe how the company plans to ensure business continuity. The business continuity measures define the procedure and the means used to cope with interruptions and restore time-critical or key business processes, and specify the resources needed for this purpose (staff, facilities, technical / telecommunications / information technology, external service providers). The affected business areas and their staff must be informed of the business continuity measures (e.g. critical business processes may need to be conducted from alternative workplaces) and, where necessary, training should be provided (e.g. on the use of technical back-up systems). 4. Exercises and tests Exercises and tests are used to train and test staff on their ability to implement incident management. The frequency of exercises and tests on the defined measures (e.g. restarting critical IT systems) must be specified. Test results must be recorded and the relevant findings incorporated into the business continuity measures. ASA SVV BCM for insurance companies in Switzerland June 2015

7 7 5. Operability and management The business continuity management system must be solidly anchored within the corporate culture (e.g. laid down in the corporate strategy or business policy) and must be appropriately covered in the company s governance structure. A dedicated organisation for business continuity functions and special bodies for dealing with incidents (e.g. crisis or emergency management teams) must be defined. The roles, responsibilities and powers of these functions and bodies must also be specified. At the same time, resources must be planned and the necessary training provided for these functions. The frequency and scope of internal reporting (e.g. reports to the executive management) must also be laid down. BCM for insurance companies in Switzerland June 2015 ASA SVV

8 8 Recommendations The following recommendations are intended to help and guide companies in formulating their own business continuity management systems. How these recommendations are applied and implemented will depend in particular on the structure and extent of the company s risk situation. They are based on the contents of the business continuity strategy. Business continuity management specifications In the area of technical / telecommunications / information technology, the business continuity management specifications relating to the restoration of business processes may be defined in terms of the following expectations regarding timing and content: time needed to restore critical business processes (recovery time objective, or RTO); desired degree of restoration of critical business processes in relation to the specified RTO; maximum acceptable data loss in the event of an incident (recovery point objective, or RPO). External services For many business processes, services are provided by external providers and suppliers (outsourcing), and these may also experience failure. If support from external service providers and suppliers is necessary for critical business processes, the status of these external services with regard to business continuity management should be appropriately evaluated. Where possible and practicable, companies are recommended to plan workaround solutions to respond to the failure of critical external service providers and suppliers. As part of business continuity planning, transferring services from external to internal providers, or vice versa, may be one of the options considered. critical decisions and that cannot be dealt with using normal measures and decision-making powers, a dedicated body (such as a crisis committee or emergency organisation) is convened. This assumes the task of crisis management until normal conditions are resumed. In these circumstances there should be clear rules on how the crisis committee or emergency organisation is alerted, and on its responsibilities, powers and escalation criteria. The committee or organisation should take account of the business activity and geographical structure of the company. Crisis communication Communication both inside and outside the company is a decisive factor when dealing with incidents. Special attention should therefore be paid to preparing communication concepts and plans. These aim in particular at maintaining the company s credibility and retaining the confidence of its different stakeholders. Above all, communication plans ensure that people can be reached in an emergency (lists of names and contact details of customers, media, employees, supervisory authorities, counterparties, service providers etc.). They facilitate regular, preventive communication with the various stakeholders (customers, employees, shareholders, investors etc.). Special communication measures are required in the event of an incident with international ramifications. Crisis management Companies are recommended to define an appropriate crisis management plan and a corresponding crisis communication system so that they can deal with extraordinary events in an effective and timely manner. In situations that require ASA SVV BCM for insurance companies in Switzerland June 2015

9 9 Reviewing the business continuity management plan Business continuity reviews include reviewing the business continuity management documentation that has been produced, and evaluating whether these comply with the company s own business continuity specifications. Companies are recommended to define consistent review criteria and lay down a clear process for monitoring and remedying unresolved issues. Exercises and tests The focus and frequency of the individual exercises and tests should be defined with reference to the criticality assessment in accordance with the business impact analysis or internal guidelines. It may be useful to establish a process for monitoring and remedying vulnerabilities. Reporting Appropriate reports on business continuity management activities and the status of preparations for coping with incidents should be submitted to the responsible functions at set intervals. The reports should in particular contain the results of business continuity reviews and business continuity exercises and tests. Significant findings from the reports can be communicated internally and externally (outsourcing). BCM for insurance companies in Switzerland June 2015 ASA SVV

10 10 Entry into force These minimum standards and recommendations were approved by the Finance & Regulation Committee of the Swiss Insurance Association (SIA) on June 9, They enter into force on October 1, 2015 and must be implemented by July 31, Finma recognises these minimum standards within the meaning of art. 7 para. 3 FINMA Act as of September 23, Solely the German version shall be binding in case of any difference of interpretation. ASA SVV BCM for insurance companies in Switzerland June 2015

11 Annex 11 References International Organization for Standardization (ISO), ISO 22313:2012: Societal security Business Continuity Management Systems Guidance Federal Office for Information Security (BSI), BSI Standard Business Continuity Management, International Organization for Standardization (ISO), ISO/IEC 27031:2011: Information technology Security Techniques Guidelines for Information and Communication Technology Readiness for Business Continuity Glossary The SIA recommends the following as a reference for the definition of terms: ISO Standard 22301:2012 Societal security Business Continuity Management Systems Requirements, Chapter 3 «Terms and definitions». BCM for insurance companies in Switzerland June 2015 ASA SVV

12 Swiss Insurance Association SIA Conrad-Ferdinand-Meyer-Strasse 14 P.O. Box CH-8022 Zurich Tel Fax