The Malta Financial Services Authority (MFSA), through its Supervisory ICT Risk and Cybersecurity (SIRC) function, has published its 2024 general observations following a comprehensive programme of supervisory engagements with licence holders. The report reflects both outcomes-based and non-outcomes-based supervisory approaches, highlighting progress in digital operational resilience while underlining areas for improvement across the financial services sector.

Outcomes-Based Supervision

In 2024, SIRC piloted the Authority's outcomes-based supervision model, which follows a three-year cycle. Licence holders are reassessed two years after their initial review, with a twelve-month remediation period to address identified gaps. While only 13% of engagements were conducted under this model in 2024, MFSA intends to increase its use over time.

The results are encouraging: 61% of controls were fully achieved, 28% partially achieved, and only 9% not met. This means nearly 90% of controls assessed were at least partially satisfied, a strong signal of the sector's growing alignment with regulatory expectations.

Supervisory Priorities in 2024

MFSA's supervisory engagements centred on four key outcomes:

Adequate DORA preparedness

Strong risk management and compliance functions

Robust incident management processes

Effective third-party provider oversight

Across all four outcomes, meaningful progress was observed. However, recurring shortcomings were identified in the following areas:

DORA Chapter II – ICT Risk Management

Many licence holders continue to show weaknesses in risk identification, mitigation, and governance. Several firms have not fully embedded ICT risk into overall governance frameworks, nor have they addressed third-party risk management in line with regulatory expectations.

DORA Chapter III – ICT Incident Management

Deficiencies persist in incident classification, reporting protocols, and communication channels during ICT disruptions. Weak escalation procedures pose risks to operational continuity and regulatory compliance, especially against a backdrop of increasingly complex cyber threats.

DORA Chapter IV – Digital Operational Resilience Testing

While some firms have initiated resilience testing, structured testing frameworks remain underdeveloped. Advanced testing, including threat-led penetration testing, has been limited. Internal audit functions often lack ICT expertise, raising concerns about the independence and effectiveness of reviews. MFSA has issued its TIBER-MT framework and strongly encourages firms to integrate it into their operational resilience strategies.

DORA Chapter V – ICT Third-Party Risk Management

Most licence holders have begun registering outsourcing arrangements and adjusting contractual provisions. However, the Register of Information remains incomplete in many cases, and outsourcing policies often fail to fully integrate governance responsibilities, exit strategies, and monitoring mechanisms. Oversight of cyber risks and sub-outsourcing remains weak, underscoring the need for a more robust approach to third-party resilience.

Non-Outcomes-Based Supervision

Engagements outside the outcomes-based model also reflected progress, though results showed wider performance gaps: 55% of controls were fully achieved, 24% partially achieved, and 21% not met. The findings reinforce the importance of embedding ICT risk management, incident response, and third-party oversight consistently across the sector.

Conclusion

The MFSA commends licence holders for their growing commitment to strengthening digital operational resilience. Progress in outcomes-based engagements demonstrates that many firms are investing in frameworks and controls to meet supervisory expectations. However, recurring gaps in ICT risk management, incident response, and resilience testing require ongoing focus.

The Authority stressed that digital operational resilience is not merely a regulatory obligation but a pillar of trust, stability, and competitiveness in Malta's financial sector. As cyber threats continue to intensify, the ability to withstand and recover from ICT disruptions will be fundamental to safeguarding the financial system.

Cyber Finance Summit 2025

To support continued dialogue and sector-wide collaboration, MFSA has announced the launch of the Cyber Finance Summit, to be held on 15–16 October 2025 at the Mediterranean Conference Centre in Valletta. The event will bring together industry professionals, ICT providers, regulators, and international experts to share insights on cybersecurity and operational resilience.

Key topics will include:

Financial supervision in the digital age

The evolving cyber threat landscape

Macro-prudential cyber resilience approaches

ICT third-party and supply chain risk management

Regulatory developments and emerging technologies

The Summit offers keynote presentations, panel discussions, and networking opportunities, with CPD hours available for participants.

