In recent years, individuals and organisations have become increasingly dependent on Information and Communications Technology (ICT). The financial services sector is no exception, as ICT risk and cybersecurity continue to present significant challenges, with potential severe consequences on the resilience, performance and stability of financial systems and economies. In fact, in its Threat Landscape 2020 publication Main incidents in the EU and worldwide, the European Union Agency for Cybersecurity (ENISA) listed the financial sector as one of the top five most targeted sectors.

Against this backdrop, earlier on this year, the Malta Financial Services Authority issued the third volume of ‘The Nature and Art of Financial Supervision’ series, this time focusing on ICT Risk and Cybersecurity Supervision.

This document provides information about the approach adopted by the Authority to supervise licence holders in the areas of ICT Risk and Cybersecurity, including the management of risks associated with ICT outsourcing, collectively known as the area of Digital Operational Resilience.  The document also outlines several initiatives taken both at a national and European level, particularly concerning the future developments within the regulatory framework in these respective areas.

An important aspect reflected within the publication are the legislative proposals on digital operational resilience which stem from the European Commission’s Digital Finance Package published in September 2020. The Digital Finance Package touches upon a number of areas, including a Digital Finance Strategy, a Retail Payments Strategy, legislative proposals on Crypto-Assets, and legislative proposals on Digital Operational Resilience.

Over the past year, the MFSA has issued Circulars and a set of guidelines in the areas of technology arrangements, ICT and security risk management and outsourcing arrangements. These outreach initiatives are all intended to inform and prepare the industry ahead of the launch of this new regulatory framework which will bring about an overhaul in the ICT risk management and which financial institutions will be expected to adopt.  

The European Commission has considered some policy options, including that of strengthening capital buffers to increase the financial entities’ ability to take in losses that could arise due to deficiencies in Digital Operational Resilience.  The recommendation pointed towards introducing a financial services Digital Operational Resilience Act (DORA) for “enabling a comprehensive framework at EU level with consistent rules addressing the Digital Operational Resilience needs of all regulated financial entities and establishing an Oversight framework for critical ICT third-party providers”.

The legislative proposal emerges from the existing fragmentation in managing ICT risks. This includes ineffective reporting of incidents, limited awareness about threats, limited and uncoordinated security testing, also at times resulting from the increase in the use of third-party providers (particularly for the provision of ICT products and services).  These weaknesses are also among the findings made by the MFSA through its supervisory engagement carried out in 2020, as described in The Nature and Art of Financial Supervision publication. Based on the insight accumulated from these inspections, the document also provides recommendations which reflect those outlined in the EU Commission’s legislative proposal. Such recommendations focus, in particular, on the areas of ICT Governance and Strategy, ICT and Security Risk Management, ICT Outsourcing Arrangements, and Business Continuity Management. 

In the document, the Authority also shares its expectations for financial entities, which are to have adequate internal governance, with the necessary level of involvement and commitment by boards, while being supported by internal control frameworks for ICT and cybersecurity risks.  It also expects that the ICT and cybersecurity risk management framework is adequate, documented and continuously improved.  The MFSA is looking more closely at how financial entities are managing risks associated with ICT outsourcing including intra-group outsourcing.  Within the context of COVID-19, the Authority also examined more closely the business continuity management practices of financial entities.

Cognisant of ongoing incidents of breaches and successful cyber-attacks, coupled with an ever-increasing reliance on ICT, through this document the MFSA is providing guidance, sharing insights and establishing benchmarks for regulated entities, which go beyond supervision and regulatory compliance.

To read the full publication visit: https://www.mfsa.mt/wp-content/uploads/2021/01/The-Nature-and-Art-of-Financial-Supervision-Volume-III-ICT-Risk-and-Cybersecurity.pdf .

 

Alan Decelis, Deputy Head - Supervisory ICT Risk and Cybersecurity, MFSA