Supervisory ICT Risk and Cybersecurity


Information and Communications Technology (ICT) has become a critical dependency for organisations and people alike. Inevitably, we are seeing an increased interest in ICT risk and Cybersecurity by standards organisations, policymakers, and regulators worldwide including within the financial services industry.

ICT risk and Cybersecurity continue to present significant challenges to, and potential severe consequences on, the resilience, performance, and stability of financial systems and economies, as highlighted by European and international Boards and Committees. We are also seeing an increased relevance on third party dependencies and risks associated with ICT outsourcing as part of ICT risk management.

The Authority places substantial importance on ICT risk and Cybersecurity which remains a cross-sectoral priority. The establishment of the Supervisory ICT Risk and Cybersecurity function as a cross-sector supervisory function was a critical milestone. The function works closely with the other supervisory functions and is responsible for the supervision of licence holders in the areas of ICT risk and Cybersecurity and the management of risks associated with ICT outsourcing, collectively the area of and Digital Operational Resilience.

Guidance Document

The Supervisory ICT Risk and Cybersecurity function has issued principle-based  cross-sectoral guidelines (“Guidance Document”) in the areas of Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, setting out the Authority’s expectations. The guidelines are in line with the MFSA’s Strategic Plan 2019-2021 and the Authority’s efforts to ensure operational resilience within the financial services industry. It is recommended that all supervised entities make effective use of the Guidance document and approach it with a view to align with the Authority’s expectations therein.

The Nature and Art of Financial Supervision – Volume III – ICT Risk and Cybersecurity

On 28 January 2021 the Supervisory ICT Risk and Cybersecurity function issued the publication ‘The Nature and Art of Financial Supervision – Volume III – ICT Risk and Cybersecurity‘. This publication provides information about ICT Risk and Cybersecurity supervision within the financial services industry and the approach adopted by the Authority in this regard. It further provides insight into future developments on the regulatory framework in the respective areas.

The document highlights the Authority’s main findings and prevailing risks based on supervisory interactions with licence holders in 2020, and puts forward recommendations in this regard. It also describes the MFSA’s supervisory focus for 2021 in the areas of ICT risk and Cybersecurity as well as ICT outsourcing.