mfsa

In light of risk management failings observed by the Malta Financial Services Authority (MFSA), the Authority has mapped out key risk areas in ICT and cybersecurity.

On Thursday, the MFSA issued its third volume of “The Nature and Art of Financial Supervision” series, which focusses on ICT Risk and Cybersecurity Supervision.

This document provides background on ICT risk and cybersecurity, including the applicable legal and regulatory framework.

It is part of the MFSA’s broader program, which includes its Vision 2021, and its Strategic Plan 2019-2021 – both of which placed substantial importance on ICT risk and Cybersecurity.

The initiatives, comment on, and make recommendations to, a cross-sector group that includes trading venues, central securities depositories, virtual financial assets, credit institutions and financial institutions.

In their checks, the MFSA said it observed instances that did not comply with the most effective practices.

It observed boards that were not adequately involved in ICT matters, that some ICT budgets did not adequately reflect increased and forthcoming operational requirements, and that some boards did not ensure that their organisations have in place the necessary ICT policies and procedures.

The MFSA also reiterated that “financial entities should have an adequate ICT and security risk management framework in place which is documented and continuously improved.”

The Authority identifies a number of ways that it regards some existing frameworks are inadequate, or that they have been inadequately implemented.

For example, it said that it “observed instances whereby there was no sufficient segregation of functions in accordance with the three lines of defence model to adequately manage conflicts of interest”

The MFSA made a number of proposals, consisting of the following main aspects:

  1. ICT risk management – all financial institutions would be required to have in place an ICT risk management framework developed on key common principles that are risk-based and allow for a proportionate application. 
  2. Incident reporting – communication on ICT-related incidents would be enhanced, extended to those subsectors currently not subject to such rules and normalised. 
  3. Digital operational resilience testing – a proportionate and harmonised resilience testing framework.
  4. Managing of ICT third party risk – enhanced monitoring of risks stemming from ICT Third Party Providers (TPPs) built upon (a) heightened outsourcing rules; and (b) oversight tools for supervisors in relation to ICT activities of TPPs.
  5. Information sharing arrangements – a voluntary scheme encouraging communication on threats. 

The full report can be accessed here.

Related

Corradino accident

Accidents like Corradino factory collapse will continue repelling locals from a career in construction

December 5, 2022
by Arnas Lasys

Fewer than 15 per cent of workers have acquired the construction industry skills card

‘Europe may yet avoid a recession this winter’ – Edward Scicluna

December 5, 2022
by Robert Fenech

‘Bank loans must become more expensive if we are to beat inflation’

ME, Chamber of Engineers collaborate to highlight new career opportunities

December 5, 2022
by BN Writer

Through this collaboration engineering professionals will be exposed to opportunities that can augment their careers in industrial segments