Skip to content Skip to footer

Loading Results

ICT and Security Risk Management in the Financial Services Industry


Information and communication technology (ICT) has dramatically shaped financial services in the last decade or two, connecting one of the oldest industries globally to the digital world. Technological advancement brings tremendous benefits but also new layers of complexities that introduce new risks that are usually not well understood. In light of this, the European Banking Authority (EBA) identified the need to address security risks arising from electronic payments and, subsequently, released a set of guidelines in 2017 that also support the objectives of the Payment Services Directive (PSD2). 

However, it was soon evident that ICT and security risks transcend electronic payments. To bridge this gap, the EBA established new requirements in 2019 that also apply to credit institutions and investment firms and, thus, ensure a consistent and robust approach in the financial sector across the European single market. In the local regulatory scene, the MFSA has followed in the footsteps of the EU’s supervisory authorities and saw this as the perfect opportunity for harmonising the approach taken by license holders in managing technological and security risks. In December 2020, the MFSA issued new guidelines to harmonise the management of ICT and security risks within the financial services industry, in line with the direction established by European supervisory authorities. 

Technology risks

One of the key purposes of the new guidance document is to provide coherent advice that draws upon ICT and security risk management guidelines emanating from the EBA as well as international governance standards or best practice frameworks (such as ISO/IEC 27001 and the NIST Cybersecurity Framework). These recommendations are applicable to a wide range of financial services entities, namely:

  • Credit institutions

  • Financial institutions

  • Insurance and reinsurance undertakings 

  • Insurance intermediaries

  • Investment firms

A detailed list of entities is available at Provision 1.1.9 of the guidance document.

How is PwC positioned to help with this?

ICT and security risk management is all about identifying and preparing for adverse situations that usually result from inadequate internal processes, external events such as cyber attacks, or even natural threats such as the COVID-19 pandemic proved to be. Our team of cyber security experts at PwC Malta have the experience and competences to analyse your business current state against the newly established guidelines, or otherwise assist your organisations in areas such as ICT governance and strategy, risk assessments, design of information security controls, penetration testing, and business continuity management.


Contact us

Michel Ganado

Michel Ganado

Advisory Partner, PwC Malta

Tel: +356 2564 7091

Kirsten  Cremona

Kirsten Cremona

Manager, Advisory, PwC Malta

Tel: +356 2564 4629

Follow us

Subscribe to the PwC Thought Leadership Newsletters / Alerts

PwC Malta engages through regular publications on relevant issues covering accounting, income tax, VAT, regulatory and industry specific topics.

Required fields are marked with an asterisk(*)

Please tick as appropriate


  1. By submitting your email address, you acknowledge that you have read the Privacy Statement and that you consent to our processing data in accordance with the Privacy Statement (including international transfers).
  2. Personal data can be changed on request, via email - PwC Malta reserves the right to reject new subscription requests or terminate subscriber accounts at any time without notice and/or justification. If you wish to stop receiving these e-mails from us, please send an email with 'Unsubscribe' as the subject.