In 2020 the MFSA established the Supervisory ICT Risk and Cybersecurity function ('SIRC' function), to supervise how licence holders address, manage and de-risk ICT and cybersecurity. The SIRC function studied the industry and how licence holders operate and, on the 28th January 2021, published the third volume on the nature and art of financial supervision, flagging concerns relating to ICT and cybersecurity risks in the financial sector, and putting forward recommendations.

The said publication provides detailed background on the ICT Risk and Cybersecurity Supervision, detailing also future developments within the regulatory framework. The publication then moves on to detail the findings, prevailing risks, and recommendations.

The MFSA found that board members had no involvement in company ICT matters and the ICT strategy put forward by licence holders was not in line with its overall business strategy. Additionally, the MFSA found that firms had to dedicate increased budgets to address ICT operations adequately. Directors were also failing to have in place ICT policies and procedures. The MFSA suggested that licenced entities had to have in place internal governance and control frameworks aimed at addressing ICT and cybersecurity risks. Additionally, ICT strategies had to be in line with the business strategy of the licenced entities and budges dedicated to addressing ICT and cybersecurity risks had to be adequate.

The MFSA found that ICT and cybersecurity risks were not properly monitored, managed, defined, assigned, or integrated with the company risk management framework by boards and licenced entities, and they were not being given priority. Moreover, the MFSA found that function segregation was lacking, such that there were instances where Risk management functions were also responsible for ICT operations. Finally, the MFSA found that Internal Audit Functions were not qualified and adequately skilled to conduct ICT audits, and the latter was not included in audit plans. Given this, the MFSA suggested that licenced entities had to set-up and continuously improve ICT and security risk management frameworks which need to be accurately documented.

Concerning ICT outsourcing arrangements, the MFSA found that licenced entities were heavily reliant on outsourcing, resulting in due diligence performance deficiencies, particularly in relation to intra-group outsourcing. Moreover, outsourcing policies lacked detail and did not properly address ongoing monitoring and assessment, and conflict of interest risks. In this respect, the MFSA recommended that licence holders ensure that risks associated with ICT outsourcing had to be properly managed.1

The MFSA found that Business Impact Analysis (BIA) was not being conducted, plans lacked detail, and management failed to adequately manage business continuity backed with policies and procedures duly implemented and reviewed. Instead, licensed entities were heavily relying on the BIA of third-party providers (TPPs) without ensuring business continuity in case of service disruption by said TPPs. The MFSA recommended that all licenced entities have in place proper BIA practices maximising the ability to provide ongoing servicing, and limiting disruptions and the possible resulting impacts.

The MFSAs' work in this sector continues, and this to ensure that all regulated entities have adequate ICT and cybersecurity programmes in place to deter cyber-attacks, mitigate resulting risks, and also ensure increased training and awareness.2

Footnotes

1. In this context, the MFSA highlighted that, entities remain responsible and accountable for ongoing compliance with all regulatory obligations despite outsourcing arrangements.

2. In this context, it is also important to note the published Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements published by the SIRC function following the conclusion of a consultation process; setting out the MFSA's expectations on the manner in which licence holders manage technology arrangements, ICT and security Risk management and outsourcing arrangements.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.