On 30 June 2020, the Supervisory ICT Risk and Cybersecurity Function (SIRC) of the Malta Financial Services Authority (MFSA) released a principle-based cross-sectoral document titled: ‘ Guidance on Technology Arrangements, ICT and Security Risks Management, and Outsourcing Arrangements’, for public consultation, directed at regulated firms in Malta. The period prior to its release involved extensive consultations with internal stakeholders (as the document is cross-sectoral), a detailed mapping of regulatory requirements from European Supervisory Authorities pertaining to ICT risks as well as an inclusion of international standards and established frameworks in several sections of the Guidance document.
This document is in line with the Authority’s Strategic Plan 2019-2021 and reflects the Authority’s expectations from licence holders with respect to their approach in managing risks emanating from their technology infrastructure and processes, as well as putting in place adequate governance arrangements. The Guidance document further buttresses the Authority’s position in being a business enabler and its position in helping supervised entities in all aspects inasmuch as technology remains at the core of the financial services sector.
The Guidance document encompasses four high level principles: proportionality; principles-based consistency of outcomes; information assurance in technology arrangements; and approach to cloud computing. The Authority is providing guidance on technology arrangements, ICT and Security Risk Management as well as outsourcing arrangements. The section on technology arrangements covers the essential characteristics of cloud computing with major pointers to its service and deployment models, shared responsibilities for cloud service models, management of these cloud models and security monitoring. The section on ICT and security risk management covers internal governance and risk mitigating measures that entities are expected to adopt in managing all forms of risks associated with their technology infrastructure. It encapsulates various measures (ICT operations management, ICT project and change management, ICT Strategy, ICT Risk Management, Information Security) as overall components of supervised entities’ operational risk management framework. Lastly, the section on outsourcing arrangements provides detailed information on how licence holders are to apply a thorough risk management method to their outsourced functions. The section contains guidance on assessments prior to outsourcing, management of conflicts of interests, business contingency planning and clauses to be included in outsourcing agreements.
The MFSA, through its newly formed Supervisory ICT Risk and Cybersecurity Function, is entrusted with the task of engaging continuously with supervised firms, by monitoring their adherence to expectations with regard to their technology infrastructure through thematic reviews via on-site inspections and off-site supervision.
As stated in its Strategic Plan 2019-2021, the Authority’s aim is to ensure that all licence holders are resilient to cyber threats and technological disruption to prevent data breaches, the loss of data and to safeguard the availability and integrity of data.