Calls for Continued Sector-Wide Enhancement After 2024 Assessments

The Malta Financial Services Authority (“MFSA”), through its Supervisory ICT Risk and Cybersecurity (SIRC) function, published a Dear CEO Letter outlining a general observations report that summarises the findings of its 2024 supervisory engagements on digital operational resilience. The Authority welcomes the positive trends across the financial sector and underscores the imperative for further improvements.

2024 Supervisory Engagements: Approach and Scope

In 2024, the MFSA assessed licence holders’ digital operational resilience via a dual methodology, combining Outcomes-based and non-Outcomes-based supervisory techniques to capture both advanced and baseline readiness.

Key Findings on ICT Resilience and Control Outcomes

The results show significant momentum in aligning with regulatory expectations, particularly for controls evaluated under the Outcomes-based framework:

• Positive Progress: Under the 2024 Outcomes-based Supervision (focusing on DORA preparedness and robust risk practices), nearly 90 % of assessed controls were fully or partially achieved: 61 % attained a fully achieved score, and 28 % a partially achieved score.
• Improvement Needed in Non-Outcomes Assessments: In the non-Outcomes-based engagements, 21 % of assessed controls received a “not met” rating, signalling gaps in baseline resilience and the need for consistency across supervisory approaches.

Recurring Gaps & Priority Improvement Areas

The MFSA has observed recurring themes that warrant sector-wide attention, aligned with chapters of the Digital Operational Resilience Act (DORA):

• ICT Risk Management (DORA Chapter II): Weaknesses include inadequate risk identification and mitigation, insufficient governance structures, and lack of integration of ICT risk with enterprise risk.
• Incident Management (DORA Chapter III): Many licence holders find difficulty in consistent incident classification, timely internal and external reporting, and maintaining effective stakeholder communication during disruptions.
• Resilience Testing (DORA Chapter IV): Although some have initiated resilience testing programmes, many remain at a preliminary stage. Evidence of structured, threat-led testing (e.g. TIBER-style or penetration testing) is limited, and internal audit functions often lack ICT specialism to review such programmes effectively.
• Third-Party Risk Management (DORA Chapter V): Gaps persist in completeness and accuracy of the register of information, oversight of third-party providers’ service continuity, confidentiality, and auditability of ICT relationships.

Alan Decelis, Head of Supervisory ICT Risk and Cybersecurity at the MFSA, commented “The progress demonstrated by licence holders in 2024 shows a stronger commitment to embedding digital operational resilience within their organisations. However, as the threat landscape evolves, sustained investment and sector-wide collaboration remain critical to achieving consistent and robust resilience across the financial system.”

Outlook & Next Steps

While the MFSA is heartened by strides made in 2024, it views digital operational resilience not merely as a regulatory obligation but as a cornerstone of stability, trust and competitiveness in the financial sector. The Authority commits to continued support for licence holders in strengthening their cyber and operational readiness.

Upcoming Event: Cyber Finance Summit

To further catalyse progress, the MFSA is pleased to announce the Cyber Finance Summit, to be held on 15-16 October at the MCC, Valletta, Malta. The event will convene industry professionals, financial institutions, ICT third-party providers, and regulators to exchange best practice and insights on topics such as Financial Supervision in the Digital Age, the Evolving Cyber Threat Landscape, and ICT Third-Party Risk Management.