MFSA identifies operational shortcomings, maps out improvements for ICT & cybersecurity practices

In light of risk management failings observed by the Malta Financial Services Authority (MFSA), the Authority has mapped out key risk areas in ICT and cybersecurity.

On Thursday, the MFSA issued its third volume of “The Nature and Art of Financial Supervision” series, which focusses on ICT Risk and Cybersecurity Supervision.

This document provides background on ICT risk and cybersecurity, including the applicable legal and regulatory framework.

It is part of the MFSA’s broader program, which includes its Vision 2021, and its Strategic Plan 2019-2021 – both of which placed substantial importance on ICT risk and Cybersecurity.

The initiatives, comment on, and make recommendations to, a cross-sector group that includes trading venues, central securities depositories, virtual financial assets, credit institutions and financial institutions.

In their checks, the MFSA said it observed instances that did not comply with the most effective practices.

It observed boards that were not adequately involved in ICT matters, that some ICT budgets did not adequately reflect increased and forthcoming operational requirements, and that some boards did not ensure that their organisations have in place the necessary ICT policies and procedures.

The MFSA also reiterated that “financial entities should have an adequate ICT and security risk management framework in place which is documented and continuously improved.”

The Authority identifies a number of ways that it regards some existing frameworks are inadequate, or that they have been inadequately implemented.

For example, it said that it “observed instances whereby there was no sufficient segregation of functions in accordance with the three lines of defence model to adequately manage conflicts of interest”

The MFSA made a number of proposals, consisting of the following main aspects:

1. ICT risk management – all financial institutions would be required to have in place an ICT risk management framework developed on key common principles that are risk-based and allow for a proportionate application. 
2. Incident reporting – communication on ICT-related incidents would be enhanced, extended to those subsectors currently not subject to such rules and normalised. 
3. Digital operational resilience testing – a proportionate and harmonised resilience testing framework.
4. Managing of ICT third party risk – enhanced monitoring of risks stemming from ICT Third Party Providers (TPPs) built upon (a) heightened outsourcing rules; and (b) oversight tools for supervisors in relation to ICT activities of TPPs.
5. Information sharing arrangements – a voluntary scheme encouraging communication on threats. 

The full report can be accessed here.