On 26 March 2024, the MFSA published a circular providing an update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements which had been issued by the MFSA in December 2020. This circular informed the industry that as of the date of applicability of the DORA Regulation (17th January 2025), such guidance document shall no longer apply to Authorised Persons which are in scope of the DORA Regulation, and reaffirmed that it will continue to apply to Authorised Persons which are not in scope of the DORA Regulation, including Company Service Providers. This obligation is aligned with CSPs’ obligations under the Company Service Providers Rulebook, as stated in R3-12.8:
A CSP shall, taking into account the size, nature, scale and complexity of the said undertaking and on a best effort basis, refer to the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, issued by the MFSA.
Whilst taking into consideration the size, internal organisation, individual risk profile, as well as the nature, scope, complexity, riskiness of the CSP’s operation and of the services provided or intended to be provided, the list below includes some of the recommendations included in the above guidelines, which CSPs should follow with respect to their technology arrangements:
- Ensure there is an adequate internal governance and internal control framework in place covering ICT Risk Management, and should set clear roles and responsibilities on ICT management, cybersecurity/information security management, as well as business continuity;
- Manage ICT risks according to the three lines of defence model or similar internal control framework in use at their organisation that is approved by the Authority;
- Identify, establish and regularly update a mapping of the information assets supporting their business functions and supporting processes, such as ICT systems, people, third parties and dependencies on other internal and external systems and processes;
- Identify the ICT risks that impact the identified business functions, supporting processes and information assets;
- Make use of Security Information and Event Management tools for the analysis of logs and security alerts generated by applications and network infrastructure;
- Make use of Data Loss Prevention technology;
- Threat monitoring and vulnerability analysis;
- Develop and document an information security policy;
- Define, document and implement procedures for physical security measures;
- Perform a variety of different information security reviews, assessments and testing;
- Define and implement data and ICT backup and restoration procedures;
- Establish and implement an incident and problem management response to monitor and log operational and security ICT incidents;
- Have business continuity arrangements; and
- Have an outsourcing arrangement in place.
Read the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, here.
For assistance with ensuring compliance with the above Guidelines, contact Shoulder Compliance on charles.cassar@shoulder.mt
