mfsa

In light of risk management failings observed by the Malta Financial Services Authority (MFSA), the Authority has mapped out key risk areas in ICT and cybersecurity.

On Thursday, the MFSA issued its third volume of “The Nature and Art of Financial Supervision” series, which focusses on ICT Risk and Cybersecurity Supervision.

This document provides background on ICT risk and cybersecurity, including the applicable legal and regulatory framework.

It is part of the MFSA’s broader program, which includes its Vision 2021, and its Strategic Plan 2019-2021 – both of which placed substantial importance on ICT risk and Cybersecurity.

The initiatives, comment on, and make recommendations to, a cross-sector group that includes trading venues, central securities depositories, virtual financial assets, credit institutions and financial institutions.

In their checks, the MFSA said it observed instances that did not comply with the most effective practices.

It observed boards that were not adequately involved in ICT matters, that some ICT budgets did not adequately reflect increased and forthcoming operational requirements, and that some boards did not ensure that their organisations have in place the necessary ICT policies and procedures.

The MFSA also reiterated that “financial entities should have an adequate ICT and security risk management framework in place which is documented and continuously improved.”

The Authority identifies a number of ways that it regards some existing frameworks are inadequate, or that they have been inadequately implemented.

For example, it said that it “observed instances whereby there was no sufficient segregation of functions in accordance with the three lines of defence model to adequately manage conflicts of interest”

The MFSA made a number of proposals, consisting of the following main aspects:

  1. ICT risk management – all financial institutions would be required to have in place an ICT risk management framework developed on key common principles that are risk-based and allow for a proportionate application. 
  2. Incident reporting – communication on ICT-related incidents would be enhanced, extended to those subsectors currently not subject to such rules and normalised. 
  3. Digital operational resilience testing – a proportionate and harmonised resilience testing framework.
  4. Managing of ICT third party risk – enhanced monitoring of risks stemming from ICT Third Party Providers (TPPs) built upon (a) heightened outsourcing rules; and (b) oversight tools for supervisors in relation to ICT activities of TPPs.
  5. Information sharing arrangements – a voluntary scheme encouraging communication on threats. 

The full report can be accessed here.

Related

TradeMalta assists local companies to showcase their culinary delights at Gulfood 2024

February 21, 2024
by BN Writer

This year, Malta is showcasing its capabilities with the participation of 11 food and beverage companies

Over 500 UK businesses fail to pay close to £16 million in minimum wages to thousands of employees

February 20, 2024
by Fabrizio Tabone

Companies had to pay their debts to staff, together with hefty financial penalties

Approvals for new dwellings in final months of 2023 sinks by 37%

February 20, 2024
by Fabrizio Tabone

San Ġwann, Saint Paul's Bay and Ħamrun registered the highest number of approved new dwellings during the period