The MFSA has just issued a document describing the supervisory focus for 2021 in the areas of ICT risk, Cybersecurity and ICT outsourcing. The SIRC (Supervisory ICT Risk and Cybersecurity function) forms part of the MFSA's supervision bodies.
The general feeling within the EU was that ICT risk and Cybersecurity supervision was fragmented and tailor-made for specific sectors and in line with this approach the European Supervisory Authorities (ESAs) published a number of guidelines.
The SIRC recently published a principle-based cross-sectoral Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements that sets out protocols for a variety of entities ranging from credit institutions to virtual financial assets and company service providers.
The main functions of the SIRC are:
- Supporting Authorizations – assisting in reviewing applications from an ICT risk and Cybersecurity perspective;
- Onsite Inspections – assists with onsite inspections carried out by other supervisory departments and further carries out its own onsite inspections focused on ICT risk and Cybersecurity, with the primary intention to supervise adherence with the industry best practices;
- Offsite Supervision – this is done through self-assessment forms and questionnaires being filled in by the license holders;
- Incident Reporting – The onus is on licensed entities to report significant ICT-related incidents to the MFSA;
- National and International Cooperation – the SIRC plays an important role in the National Cybersecurity Strategy Steering Committee, expert groups organized by the European Central Bank and other ESAs working groups.
The SIRC has recently been working on digital operational resilience regulations among a number of prospective developments as part of the Regulatory Framework.
8th March 2018 – the European Commission ("EC") published a FinTech action plan to foster increased competition and innovation in the European financial sector, "Enhancing security and resilience of the financial sector" and a workshop including both the public and private sectors was carried out to:
- Carry out an assessment as to what barriers are inhibiting information sharing in relation to cyber threats between financial market participants;
- Elicit potential solutions but keeping in full compliance with data protection standards;
- Map current supervisory practices used within different financial industries in relation to ICT security and governance requirements;
- Contemplate the promulgation of a guidance framework to bring about a more holistic supervisory approach in relation to the enforcement of ICT risk management and mitigation requirements in the EU financial sector;
- Provide the European Commission with technical advice regarding regulatory improvements;
- Evaluate costs and benefits of formulating a holistic cyber resilience testing framework when it comes to dealing with major EU financial sector market players and infrastructures.
10th April 2019 – ESAs circulated two 'Joint Advice' to the EC:
- The requirement for regulatory developments in the ICT risk management within the financial sector; and
- Cost-benefit analysis of a holistic cyber resilience testing framework in relation to major EU financial sector market players and infrastructures.
19th December 2019 – The EC circulated the consultation document "Digital Operational Resilience Framework for financial services: Making the EU financial sector more secure", with the below sections:
- Part 1 – Stakeholder Identification, Transparency and Confidentiality;
- Part 2 – Building blocks for a potential EU initiative:
- Targeted improvements of ICT and security risk management requirements;
- Harmonization of ICT incidents reporting;
- Development of a digital operational resilience testing framework;
- Better oversight of certain critical ICT third-party providers;
- To promote (I) effective information sharing (ii) better cooperation.
24th September 2020 – Digital Finance Package issued by EC that includes:
- Digital Finance Strategy;
- Retail Payments Strategy;
- Legislative proposals on crypto-assets and; and
- Legislative proposals on Digital Operational Resilience, that
included the below aspects:
- ICT Risk Management – the proportionate and risk-based implementation of an ICT risk management framework for all financial institutions;
- Incident reporting – an extension of the requirement of communication on ICT-related incidents to include more sectors;
- Digital operational resilience testing – a proportionate and harmonized resilience testing framework;
- Managing of ICT third party risk – enhanced monitoring of risks stemming from ICT Third Party Providers (TPPs) built upon (a) heightened outsourcing rules; and (b) oversight tools for supervisors in relation to ICT activities of TPPs; and
- Information sharing arrangements – a voluntary scheme encouraging communication on threats;
The Regulation on digital operational resilience for the financial sector and amending Regulations ("DORA") is currently at the proposal stage.
The SIRC put forward the following recommendations following the trends it saw whilst carrying out supervisory visits in 2020:
- ICT Governance and Strategy – Board of Directors should allow the necessary financial resources for the implementation of adequate internal governance and an internal control framework when it comes to dealing with ICT and cybersecurity risks. Aligned of the ICT strategy with the overall business strategy is essential;
- ICT and Security Risk Management – Entities operating in the financial sector should document and regularly develop an appropriate ICT and security risk management framework;
- ICT Outsourcing Arrangements – Effective management of outsourcing risks related to ICT is required as entities operating in the financial sector maintain responsibility and accountability to be in full compliance with their regulatory obligations aand to ensure their ongoing obligations are met continuously;
- Business Continuity Management – Financial Entities should establish adequate business continuity management practices that maximize their ability to continue to provide their services on an ongoing basis and to limit the adverse impact in the event of a disruption. As part of sound business continuity management, License Holders should conduct Business Impact Analysis by analyzing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability).
The SIRC will continue to support the sectoral supervisory functions to ensure regulated entities have an adequate cybersecurity programme in place designed to enhance resilience to cyber-attacks and mitigate the risks associated with such threats.
SIRC plans to:
- Develop an ICT and Cybersecurity risk model for supervision as a process for mapping out and prioritizing key risk areas within the industry;
- Carry out a comprehensive and cross-sectoral thematic desk-based review on ICT Risk and Cybersecurity matters, including outsourcing;
- Participate and contribute to local and foreign working groups and progress on the legislative proposals on digital operational resilience; and
- Engage with the industry and carry out education and awareness activities for stakeholders
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.