Information and communication technology (ICT) has dramatically shaped financial services in the last decade or two, connecting one of the oldest industries globally to the digital world. Technological advancement brings tremendous benefits but also new layers of complexities that introduce new risks that are usually not well understood. In light of this, the European Banking Authority (EBA) identified the need to address security risks arising from electronic payments and, subsequently, released a set of guidelines in 2017 that also support the objectives of the Payment Services Directive (PSD2).
However, it was soon evident that ICT and security risks transcend electronic payments. To bridge this gap, the EBA established new requirements in 2019 that also apply to credit institutions and investment firms and, thus, ensure a consistent and robust approach in the financial sector across the European single market. In the local regulatory scene, the MFSA has followed in the footsteps of the EU’s supervisory authorities and saw this as the perfect opportunity for harmonising the approach taken by license holders in managing technological and security risks. In December 2020, the MFSA issued new guidelines to harmonise the management of ICT and security risks within the financial services industry, in line with the direction established by European supervisory authorities.
One of the key purposes of the new guidance document is to provide coherent advice that draws upon ICT and security risk management guidelines emanating from the EBA as well as international governance standards or best practice frameworks (such as ISO/IEC 27001 and the NIST Cybersecurity Framework). These recommendations are applicable to a wide range of financial services entities, namely:
Insurance and reinsurance undertakings
A detailed list of entities is available at Provision 1.1.9 of the guidance document.
ICT and security risk management is all about identifying and preparing for adverse situations that usually result from inadequate internal processes, external events such as cyber attacks, or even natural threats such as the COVID-19 pandemic proved to be. Our team of cyber security experts at PwC Malta have the experience and competences to analyse your business current state against the newly established guidelines, or otherwise assist your organisations in areas such as ICT governance and strategy, risk assessments, design of information security controls, penetration testing, and business continuity management.
Advisory Partner, PwC Malta
Tel: +356 2564 7091
Manager, Advisory, PwC Malta
Tel: +356 2564 4629