Supervisory ICT Risk and Cybersecurity
Information and Communications Technology (ICT) has become a critical dependency for organisations and people alike. Inevitably, we are seeing an increased interest in ICT risk and Cybersecurity by standards organisations, policymakers, and regulators worldwide including within the financial services industry.
ICT risk and Cybersecurity continue to present significant challenges to, and potential severe consequences on, the resilience, performance, and stability of financial systems and economies, as highlighted by European and international Boards and Committees. We are also seeing an increased relevance on third party dependencies and risks associated with ICT outsourcing as part of ICT risk management.
The Authority places substantial importance on ICT risk and Cybersecurity which remains a cross-sectoral priority. The establishment of the Supervisory ICT Risk and Cybersecurity function as a cross-sector supervisory function was a critical milestone. The function works closely with the other supervisory functions and is responsible for the supervision of licence holders in the areas of ICT risk and Cybersecurity and the management of risks associated with ICT outsourcing, collectively the area of and Digital Operational Resilience.
The Supervisory ICT Risk and Cybersecurity function has issued principle-based cross-sectoral guidelines (“Guidance Document”) in the areas of Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, setting out the Authority’s expectations. The guidelines are in line with the MFSA’s Strategic Plan 2019-2021 and the Authority’s efforts to ensure operational resilience within the financial services industry. It is recommended that all supervised entities make effective use of the Guidance document and approach it with a view to align with the Authority’s expectations therein.
On 28 January 2021 the Supervisory ICT Risk and Cybersecurity function issued the publication ‘The Nature and Art of Financial Supervision – Volume III – ICT Risk and Cybersecurity‘. This publication provides information about ICT Risk and Cybersecurity supervision within the financial services industry and the approach adopted by the Authority in this regard. It further provides insight into future developments on the regulatory framework in the respective areas.
The document highlights the Authority’s main findings and prevailing risks based on supervisory interactions with licence holders in 2020, and puts forward recommendations in this regard. It also describes the MFSA’s supervisory focus for 2021 in the areas of ICT risk and Cybersecurity as well as ICT outsourcing.
Major ICT-Related Incident Reporting
Regulation (EU) 2022/2554 known as the Digital Operational Resilience Act (‘DORA’) is a Regulation applicable to entities within the financial services sector and it aims at enhancing entity’s digital operational resilience. It has come into effect on 16 January 2023 and it will be applicable from 17 January 2025. The Regulation also comes with the Directive (EU) 2022/2556. Member States are required to adopt the necessary provisions and measures to implement the DORA Regulation and to transpose Directive (EU) 2022/2556.
DORA is a complex, yet comprehensive Regulation which sets requirements on the following areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards which have different legal deadlines, ranging from January to July 2024.
The European Supervisory Authorities (ESAs) Guidelines and the Supervisory ICT Risk and Cybersecurity Function’s Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’) have been cross-referenced in various of the Authority’s Prudential Supervision Rulebooks. Therefore, as applicable, entities within scope of these Rulebooks, are expected to comply to the ESAs Guidelines and the Guidance Document to the extent set out in the Rules. A complete list of such cross-references can be found on the “Cross-references to the Guidance Document on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements and Applicable ESAs Guidelines (as of May 2023).”
The current ICT and Cyber-related regulatory framework applicable for the financial services sector is comprised, inter alia, by the European Supervisory Authorities (ESAs) Guidelines. These Guidelines are sector-specific and they are used as supervisory benchmarks throughout various stages of an entity’s supervisory lifecycle, from Authorization to Supervisory Engagements. For Credit Institutions undergoing Supervisory Review and Evaluation Process (‘SREP’), Guidelines on ICT Risk Assessment Under SREP are also taken into account.
Building upon the ESAs Guidelines, the Supervisory ICT Risk and Cybersecurity function published in 2020 its Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’). The Guidance Document sets Authority’s expectations towards financial entities within the area of ICT.
DORA is a Regulation (EU) 2022/2554 that aims at increasing the digital operational resilience of financial entities within scope. It sets proportionate requirements in five key areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation is accompanied by Directive (EU) 2022/2556.
DORA has entered into force on 16 January 2022 and it will be fully applicable by 17 January 2025. These dates also apply to the DORA Directive.
The scope of the Regulation is outlined in Article 2. However, the Authority understands that some entities may need further clarity on the applicability of the Regulation due to home-grown regimes and other factors. If you are unsure if the DORA Regulation is applicable to you, please do not hesitate to contact us on [email protected].
However, as a way of clarification, it should be noted that pursuant to Article 2 of the DORA Regulation, Trustees & Fiduciaries, Company Service Providers and Virtual Financial Assets (VFA) Agents are not within scope of the DORA Regulation.
In turn, note that the DORA Regulation will apply to self-managed Alternative Investment Funds (AIF) and Undertakings for Collective Investment in Transferable Securities (UCITS).
The DORA Regulation has a very robust proportionality principle made up of four layers that are build upon each other, respectively: (1) exceptions to scope as specified in Article 2(3) of the DORA Regulation; (2) the proportionality principle, in which entities are required to apply the requirements of the Regulation taking into account their size, risk profile, nature, scale and complexity of their services, activities and operations; (3) microenterprises are excluded from an element of requirements and/or benefit from lighter requirements, as applicable; and (4) Article 16 entities are also excluded and/or benefit from lighter requirements, as applicable.
As proportionality under the DORA Regulation is based on proportionality layers, as described above, that an entity which is a microenterprise and also an Article 16 entity, will benefit from the lightest of the requirements under the DORA Regulation. Financial entities are to note that proportionality will also be taken into account during the draft of the Regulatory and Implementing Technical Standards, currently being done by the European Supervisory Authorities (‘ESAs’).
The DORA Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards. For further details please refer to our Circular’s Annex 1 on Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal.
What will happen to the current applicable Guidelines (European Supervisory Authorities’ Guidelines and the MFSA’s Guidance Document)?
The applicability of the ESA’s Guidelines is expected to be reviewed by the ESAs in due course, taking into account the legal deadlines for the Regulatory and Implementing Technical Standards.
Because of the interconnectedness of such Guidelines to the Authority’s Guidance Document, the assessment of the applicability and existence of the Guidance Document post-DORA will also follow in due course.
Is there any interaction between DORA and other cyber-related EU Directives? What about existing industry standards best practices?
There is a strong interaction between the DORA Regulation and Directives (EU) 2022/2555 and (EU) 2022/2557. For further details on such interaction, please refer to our Circular on Directives (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity and (EU) 2022/2557 on the Resilience of Critical Entities.
Note that the DORA Regulation has been drafted drawing inspiration from, inter alia, relevant Union law, sectoral guidelines, guidance from international financial institutions, and relevant industry standards and best practices. The upcoming Regulatory and Implementing technical standards currently being drafted by the European Supervisory Authorities (‘ESAs’) will also build upon industry standards and best practices. It should be noted however, that whilst the DORA Regulation takes into account industry standards and best practices, compliance with any specific industry standard and/or best practices should not be taken as compliance to the DORA Regulation in its entirety.
ICT TPPs are included within scope of the DORA Regulation due to the Oversight Framework of Critical ICT Third Party Providers (‘CTPPs’) pursuant to Chapter V section II of the Regulation. Under the DORA Regulation, CTPPs will be designated based on their systemic character, reliance of financial entities and difficulties in migrating relevant data from that particular provider. Upon designation, CTPPs will be subject to a European Union-level Oversight Framework made up by the Oversight Forum and, more importantly, the Lead Overseer. Competent authorities shall follow-up on the decisions made by the Lead Overseer.
It is also worth noting that, although the DORA Regulation does not set direct requirements to ICT TPPs, it does set key contractual provisions through Article 30. In this sense, financial entities should ensure that these key contractual provisions are included within their contract arrangements with ICT TPPs.
Is there a difference between Outsourcing and the ICT Third Party Providers (‘ICT TPPs’) under DORA?
DORA does not intend to regulate the definition of outsourcing and it should not be seen as changing current outsourcing practices.
Arrangements concluded with ICT TPPs under the DORA Regulation, on purpose, go beyond Outsourcing Arrangements as established by (inter alia) the current applicable Acts, Regulations, Rules and/or Sector Specific Guidelines.
The definition employed by the DORA Regulation for an ICT TPP is provided by Article 3 point (19) “ICT third-party service provider’ means an undertaking providing ICT services.” In turn, Article 3 point (21) of the DORA Regulation states: “ICT services’ means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
The DORA Regulation therefore covers a broader array of arrangements concluded with ICT Third Party Providers, whether these qualify as outsourcing arrangements or not.
Article 5 of the DORA Regulation on Governance and Organisation places direct requirements onto the management body of a financial entity. What is to be considered as the management body?
By way of broad guidance, the management body of an entity is the one that sets the company’s strategy, objectives and overall direction, and which oversees and monitors management decision-making, and includes the persons who effectively direct the business of the company. In the same context, Article 3 point (30) of the DORA Regulation provides:
“‘management body’ means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law;”
Therefore, the legal definition of what is to be considered as the management body of a financial entity is largely sectoral. Therefore, financial entities are invited to refer to their relevant and applicable sectoral legislation as outlined above and, where applicable, also refer to their national transposition.
What is the relationship between Threat-Led Penetration Testing (‘TLTP’) and the TIBER-EU Framework? Will I be required to undergo TLTP under DORA?
The DORA Regulation distinguishes between digital operational resilience testing and advanced testing based on TLPT. Financial entities within scope – excluding microenterprises and Article 16 entities – may be required to undergo TLPT. The selection of entities that will be required to undergo TLPT must be done by the competent authorities. More specifically, Article 26(8) third subparagraph of the Regulation states that competent authorities shall identify the financial entities (taking into account proportionality) required to undergo TLPT based on impact-factors, financial stability concerns and ICT risk profile.
The most prominent framework for TLPT for the financial sector in the Union is the TIBER-EU Framework, developed by the European Central Bank (‘ECB’). The Regulatory Technical Standard on TLPT pursuant to Article 26(11) of the DORA Regulation will be developed jointly with the ECB and in accordance with the TIBER-EU Framework.
What are the different reporting mechanism under DORA? What will happen to the incident reporting mechanism under Directive (EU) 2015/2366 Payment Services Directive 2 (‘PSD2’)?
DORA has three different reporting mechanisms: (1) Major ICT-Related Incidents; (2) Significant Cyber Threats; and (3) Major Operational or Security Payment-Related Incidents.
The main difference that financial entities should be aware of is in regard to Major ICT-Related Incidents and Significant Cyber Threats. Financial entities will be required to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming Regulatory Technical Standard. Based on such classification, if the thresholds for a Major ICT-Related Incidents are met, then financial entities are required to report the incident to the competent authority. If the thresholds of a Significant Cyber Threat are met,financial entities may, this time on a voluntary basis, notify the Significant Cyber Threat to the competent authority. The reporting and notification templates for both Major ICT-Related Incidents and Significant Cyber Threats will be developed by the European Supervisory Authorities (‘ESAs’) as an Implementing Technical Standard pursuant to Article 20 of the DORA Regulation.
The third reporting mechanism is established by Article 23 of the DORA Regulation. Pursuant to such, credit institutions, payment institutions, account information service providers and electronic money institutions must report to the competent authority Major Operational or Security Payment-Related Incidents, irrespective of whether these incidents are ICT-Related or not. This report mechanism was introduced by the DORA Regulation due to its relationship with PSD2.
In the same vein, the DORA Amending Directive (EU) 2022/2556 amends PSD2. According to DORA recital (23):
“To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents which have been previously reported pursuant to that Directive, irrespective of whether such incidents are ICT-related.”
In preparation for the Digital Operational Resilience Act (DORA) Regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) periodically releases DORA Podcasts, which primarily aims at preparing our Authorised Persons. In this sense, Authorised Persons are encouraged to reach out to SIRC on [email protected] with any DORA-related queries or suggestions to be addressed on future DORA Podcasts.