Supervisory ICT Risk and Cybersecurity
Information and Communications Technology (ICT) has become a critical dependency for organisations and people alike. Inevitably, we are seeing an increased interest in ICT risk and Cybersecurity by standards organisations, policymakers, and regulators worldwide including within the financial services industry.
ICT risk and Cybersecurity continue to present significant challenges to, and potential severe consequences on, the resilience, performance, and stability of financial systems and economies, as highlighted by European and international Boards and Committees. We are also seeing an increased relevance on third party dependencies and risks associated with ICT outsourcing as part of ICT risk management.
The Authority places substantial importance on ICT risk and Cybersecurity which remains a cross-sectoral priority. The establishment of the Supervisory ICT Risk and Cybersecurity function as a cross-sector supervisory function was a critical milestone. The function works closely with the other supervisory functions and is responsible for the supervision of licence holders in the areas of ICT risk and Cybersecurity and the management of risks associated with ICT outsourcing, collectively the area of and Digital Operational Resilience.
The Supervisory ICT Risk and Cybersecurity function has issued principle-based cross-sectoral guidelines (“Guidance Document”) in the areas of Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, setting out the Authority’s expectations. The guidelines are in line with the MFSA’s Strategic Plan 2019-2021 and the Authority’s efforts to ensure operational resilience within the financial services industry. It is recommended that all supervised entities make effective use of the Guidance document and approach it with a view to align with the Authority’s expectations therein.
On 3 September 2024, the Supervisory ICT Risk and Cybersecurity (SIRC) Function issued the publication ‘The Nature and Art of Financial Supervision – Volume XI: ICT Risk and Cybersecurity’. This publication offers a detailed and updated account of the work carried out by the Authority’s SIRC Function. This edition provides an in-depth look at how the Authority is adapting to key regulatory developments, such as the Digital Operational Resilience Act (DORA) and highlights its ongoing commitment to enhancing digital operational resilience and cyber-maturity within Malta’s financial sector.
The publication elaborates on several supervisory efforts made by the SIRC Function, including support for authorisations, ongoing supervision, incident reporting, management of ICT third-party risk, and threat-led penetration testing. It also offers insights into the SIRC Function’s common findings related to ICT and Cybersecurity.
Legislation
Major ICT-Related Incident Reporting
Information-Sharing Arrangements Notifications
Threat-Led Penetration Testing
General
Legislation
Regulation (EU) 2022/2554 known as the Digital Operational Resilience Act (‘DORA’) is a Regulation applicable to entities within the financial services sector and it aims at enhancing entity’s digital operational resilience. It has come into effect on 16 January 2023 and it will be applicable from 17 January 2025. The Regulation also comes with the Directive (EU) 2022/2556. Member States are required to adopt the necessary provisions and measures to implement the DORA Regulation and to transpose Directive (EU) 2022/2556.
DORA is a complex, yet comprehensive Regulation which sets requirements on the following areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards which have different legal deadlines, ranging from January to July 2024.
The European Supervisory Authorities (ESAs) Guidelines and the Supervisory ICT Risk and Cybersecurity Function’s Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’) have been cross-referenced in various of the Authority’s Prudential Supervision Rulebooks. Therefore, as applicable, entities within scope of these Rulebooks, are expected to comply to the ESAs Guidelines and the Guidance Document to the extent set out in the Rules. A complete list of such cross-references can be found on the “Cross-references to the Guidance Document on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements and Applicable ESAs Guidelines (as of May 2023).”
The current ICT and Cyber-related regulatory framework applicable for the financial services sector is comprised, inter alia, by the European Supervisory Authorities (ESAs) Guidelines. These Guidelines are sector-specific and they are used as supervisory benchmarks throughout various stages of an entity’s supervisory lifecycle, from Authorization to Supervisory Engagements. For Credit Institutions undergoing Supervisory Review and Evaluation Process (‘SREP’), Guidelines on ICT Risk Assessment Under SREP are also taken into account.
Building upon the ESAs Guidelines, the Supervisory ICT Risk and Cybersecurity function published in 2020 its Guidance Document on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance Document’). The Guidance Document sets Authority’s expectations towards financial entities within the area of ICT.
EBA Guidelines on ICT and Security Risk Management
EBA Guidelines on Outsourcing Arrangements
EIOPA Guidelines on ICT Security and Governance
EIOPA Guidelines on Outsourcing to Cloud Service Providers
What is the Digital Operational Resilience Act (‘DORA’)?
DORA is a Regulation (EU) 2022/2554 that aims at increasing the digital operational resilience of financial entities within scope. It sets proportionate requirements in five key areas: (1) ICT Risk Management; (2) Incident Management, Classification and Reporting; (3) Digital Operational Resilience Testing; (4) ICT Third-Party Risk; and (5) Voluntary Information Sharing Arrangements. The Regulation is accompanied by Directive (EU) 2022/2556.
When will it become applicable?
DORA has entered into force on 16 January 2022 and it will be fully applicable by 17 January 2025. These dates also apply to the DORA Directive.
Does it apply to me?
The scope of the Regulation is outlined in Article 2. However, the Authority understands that some entities may need further clarity on the applicability of the Regulation due to home-grown regimes and other factors. If you are unsure if the DORA Regulation is applicable to you, please do not hesitate to contact us on [email protected].
However, as a way of clarification, it should be noted that pursuant to Article 2 of the DORA Regulation, Trustees & Fiduciaries, Company Service Providers and Virtual Financial Assets (VFA) Agents are not within scope of the DORA Regulation.
In turn, note that the DORA Regulation will apply to self-managed Alternative Investment Funds (AIF) and Undertakings for Collective Investment in Transferable Securities (UCITS).
How does proportionality under DORA works?
The DORA Regulation has a very robust proportionality principle made up of four layers that are build upon each other, respectively: (1) exceptions to scope as specified in Article 2(3) of the DORA Regulation; (2) the proportionality principle, in which entities are required to apply the requirements of the Regulation taking into account their size, risk profile, nature, scale and complexity of their services, activities and operations; (3) microenterprises are excluded from an element of requirements and/or benefit from lighter requirements, as applicable; and (4) Article 16 entities are also excluded and/or benefit from lighter requirements, as applicable.
Authorised Persons are expected to establish a proportionality self-assessment document, approved by the respective management body, that is kept up-to-date. From a supervisory perspective, this self-assessment document could help the Authority in better understanding the Authorised Persons’ approach vis-à-vis the application of proportionality. Therefore, it is important that Authorised Persons are able to duly justify a proportionate application and implementation of the requirements of the DORA Regulation to the Authority. When assessing what is proportionate, Authorised Persons should focus on all the criteria established by Article 4 of the DORA Regulation.
For the avoidance of doubt, the recommendation of establishing a proportionality self-assessment document does not emanate from the DORA Regulation and/or any other relevant applicable laws, regulations and guidelines. This is therefore a recommendation of good practice.
How should I go about classifying my financial entity’s size in terms of the DORA Regulation?
In order to classifying themselves as either micro, small and medium-sized enterprises, financial entities should be guided by Article 3 of the DORA Regulation. Considering that the DORA Regulation does not provide guidance on how such size calculation should be executed financial entities can, to the extent possible, refer to the guidance provided by the European Commission in terms of Commission Recommendation 2003/361/EU and additional material released by the Commission, namely the User Guide to the SME Definition and the SME Self-Assessment Questionnaire.
For clarity, for the purposes of applicability of the DORA Regulation, what shall ultimately apply are the definitions provided under Article 3 of the DORA Regulation. In the event of any inconsistency, conflict or overlap between the DORA Regulation and the Commission Recommendation, for the purposes of the DORA Regulation, the DORA Regulation shall prevail.
I noticed that the Regulation is non-technical in some instances, why?
The DORA Regulation will be technically supplemented by ten (10) Regulatory and Implementing Technical Standards. For further details please refer to our Circular’s Annex 1 on Regulation (EU) 2022/2554 and Amending Directive (EU) 2022/2556 on Digital Operational Resilience for the Financial Sector published on the EU Official Journal.
What will happen to the current applicable Guidelines (European Supervisory Authorities’ Guidelines and the MFSA’s Guidance Document)?
the applicability of the ESA’s Guidelines is expected to be reviewed by the ESAs in due course, taking into account the legal deadlines for the Regulatory and Implementing Technical Standards.
In terms of the Authority’s Guidance Document, financial entities should be guided to Circular titled Update on the Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements, published by the Authority in March 2024.
Is there any interaction between DORA and other cyber-related EU Directives? What about existing industry standards best practices?
There is a strong interaction between the DORA Regulation and Directives (EU) 2022/2555 and (EU) 2022/2557. For further details on such interaction, please refer to our Circular on Directives (EU) 2022/2555 on Measures for a High Common Level of Cybersecurity and (EU) 2022/2557 on the Resilience of Critical Entities.
Note that the DORA Regulation has been drafted drawing inspiration from, inter alia, relevant Union law, sectoral guidelines, guidance from international financial institutions, and relevant industry standards and best practices. The upcoming Regulatory and Implementing technical standards currently being drafted by the European Supervisory Authorities (‘ESAs’) will also build upon industry standards and best practices. It should be noted however, that whilst the DORA Regulation takes into account industry standards and best practices, compliance with any specific industry standard and/or best practices should not be taken as compliance to the DORA Regulation in its entirety.
Why are ICT Third Party Providers (‘ICT TPPs’) included within scope of the DORA Regulation?
ICT TPPs are included within scope of the DORA Regulation due to the Oversight Framework of Critical ICT Third Party Providers (‘CTPPs’) pursuant to Chapter V section II of the Regulation. Under the DORA Regulation, CTPPs will be designated based on their systemic character, reliance of financial entities and difficulties in migrating relevant data from that particular provider. Upon designation, CTPPs will be subject to a European Union-level Oversight Framework made up by the Oversight Forum and, more importantly, the Lead Overseer. Competent authorities shall follow-up on the decisions made by the Lead Overseer.
It is also worth noting that, although the DORA Regulation does not set direct requirements to ICT TPPs, it does set key contractual provisions through Article 30. In this sense, financial entities should ensure that these key contractual provisions are included within their contract arrangements with ICT TPPs.
Is there a difference between Outsourcing and the ICT Third Party Providers (‘ICT TPPs’) under DORA?
DORA does not intend to regulate the definition of outsourcing and it should not be seen as changing current outsourcing practices.
Arrangements concluded with ICT TPPs under the DORA Regulation, on purpose, go beyond Outsourcing Arrangements as established by (inter alia) the current applicable Acts, Regulations, Rules and/or Sector Specific Guidelines.
The definition employed by the DORA Regulation for an ICT TPP is provided by Article 3 point (19) “ICT third-party service provider’ means an undertaking providing ICT services.” In turn, Article 3 point (21) of the DORA Regulation states: “ICT services’ means digital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services”.
The DORA Regulation therefore covers a broader array of arrangements concluded with ICT Third Party Providers, whether these qualify as outsourcing arrangements or not.
Article 5 of the DORA Regulation on Governance and Organisation places direct requirements onto the management body of a financial entity. What is to be considered as the management body?
By way of broad guidance, the management body of an entity is the one that sets the company’s strategy, objectives and overall direction, and which oversees and monitors management decision-making, and includes the persons who effectively direct the business of the company. In the same context, Article 3 point (30) of the DORA Regulation provides:
“‘management body’ means a management body as defined in Article 4(1), point (36), of Directive 2014/65/EU, Article 3(1), point (7), of Directive 2013/36/EU, Article 2(1), point (s), of Directive 2009/65/EC of the European Parliament and of the Council (31), Article 2(1), point (45), of Regulation (EU) No 909/2014, Article 3(1), point (20), of Regulation (EU) 2016/1011, and in the relevant provision of the Regulation on markets in crypto-assets, or the equivalent persons who effectively run the entity or have key functions in accordance with relevant Union or national law;”
Therefore, the legal definition of what is to be considered as the management body of a financial entity is largely sectoral. Therefore, financial entities are invited to refer to their relevant and applicable sectoral legislation as outlined above and, where applicable, also refer to their national transposition.
What is the relationship between Threat-Led Penetration Testing (‘TLTP’) and the TIBER-EU Framework? Will I be required to undergo TLTP under DORA?
The DORA Regulation distinguishes between digital operational resilience testing and advanced testing based on TLPT. Financial entities within scope – excluding microenterprises and Article 16 entities – may be required to undergo TLPT. The selection of entities that will be required to undergo TLPT must be done by the competent authorities. More specifically, Article 26(8) third subparagraph of the Regulation states that competent authorities shall identify the financial entities (taking into account proportionality) required to undergo TLPT based on impact-factors, financial stability concerns and ICT risk profile.
The most prominent framework for TLPT for the financial sector in the Union is the TIBER-EU Framework, developed by the European Central Bank (‘ECB’). The Regulatory Technical Standard on TLPT pursuant to Article 26(11) of the DORA Regulation will be developed jointly with the ECB and in accordance with the TIBER-EU Framework.
What are the different reporting mechanism under DORA? What will happen to the incident reporting mechanism under Directive (EU) 2015/2366 Payment Services Directive 2 (‘PSD2’)?
DORA has three different reporting mechanisms: (1) Major ICT-Related Incidents; (2) Significant Cyber Threats; and (3) Major Operational or Security Payment-Related Incidents.
The main difference that financial entities should be aware of is in regard to Major ICT-Related Incidents and Significant Cyber Threats. Financial entities will be required to classify incidents based on qualitative and quantitative thresholds yet to be defined by an upcoming Regulatory Technical Standard. Based on such classification, if the thresholds for a Major ICT-Related Incidents are met, then financial entities are required to report the incident to the competent authority. If the thresholds of a Significant Cyber Threat are met,financial entities may, this time on a voluntary basis, notify the Significant Cyber Threat to the competent authority. The reporting and notification templates for both Major ICT-Related Incidents and Significant Cyber Threats will be developed by the European Supervisory Authorities (‘ESAs’) as an Implementing Technical Standard pursuant to Article 20 of the DORA Regulation.
The third reporting mechanism is established by Article 23 of the DORA Regulation. Pursuant to such, credit institutions, payment institutions, account information service providers and electronic money institutions must report to the competent authority Major Operational or Security Payment-Related Incidents, irrespective of whether these incidents are ICT-Related or not. This report mechanism was introduced by the DORA Regulation due to its relationship with PSD2.
In the same vein, the DORA Amending Directive (EU) 2022/2556 amends PSD2. According to DORA recital (23):
“To reduce the administrative burden and potentially duplicative reporting obligations for certain financial entities, the requirement for the incident reporting pursuant to Directive (EU) 2015/2366 of the European Parliament and of the Council should cease to apply to payment service providers that fall within the scope of this Regulation. Consequently, credit institutions, e-money institutions, payment institutions and account information service providers, as referred to in Article 33(1) of that Directive, should, from the date of application of this Regulation, report pursuant to this Regulation, all operational or security payment-related incidents which have been previously reported pursuant to that Directive, irrespective of whether such incidents are ICT-related.”
In preparation for the Digital Operational Resilience Act (DORA) Regulation, the Supervisory ICT Risk and Cybersecurity Function (SIRC) periodically releases DORA Podcasts, which primarily aims at preparing our Authorised Persons. In this sense, Authorised Persons are encouraged to reach out to SIRC on [email protected] with any DORA-related queries or suggestions to be addressed on future DORA Podcasts.
Major ICT-Related Incident Reporting
Information-Sharing Arrangements Notifications
- Information-Sharing Arrangements Notification Process
- Information-Sharing Arrangements Notification Form Template
The Information-Sharing Arrangements Notification Process contains the scope and applicability, and establishes the process to notify the participation in or the cessation of membership from, an Information-Sharing Arrangement/s.
This is the standard template to be used by Authorised Persons to notify their participation in Information-Sharing Arrangements upon validation of their membership, or, as applicable, of the cessation of their membership, once it takes effect.
Threat-Led Penetration Testing
Threat-Led Penetration Testing (‘TLPT’) has emerged as a critical measure for bolstering the digital resilience of financial entities, driven by the need to simulate realistic and high-impact cyber threats. Unlike traditional penetration testing, TLPT mirrors real-world tactics, techniques, and procedures of sophisticated threat actors. This enables financial entities to identify vulnerabilities and test their response capabilities under conditions similar to those of actual attacks. For certain financial entities within the European Union, TLPT is not only best practice but also a regulatory requirement under the Digital Operational Resilience Act (‘DORA’) (Regulation (EU) 2022/2554), which mandates enhanced security and resilience standards to ensure the stability of the financial ecosystem.
In response to escalating cybersecurity threats, the European Union enacted DORA, which outlines stringent requirements for digital operational resilience in the financial sector. DORA’s Chapter IV, specifically Articles 26, mandates that certain financial entities must perform TLPT to assess and strengthen their cyber resilience. According to Article 26, TLPT should be carried out by financial entities identified through criteria set by DORA’s Regulatory Technical Standard (‘RTS’) specifying elements with regards to TLPT. DORA highlights the importance of TLPT as an integral component of digital resilience testing, ensuring that financial entities are prepared to face sophisticated cyber threats and maintain operational continuity across the EU financial sector.
In May 2018, the European Central Bank (‘ECB’) published the TIBER-EU framework, the first EU wide framework for threat intelligence-based ethical red-teaming that provides an efficient solution for ensuring mutual recognition of cyber resilience tests across the EU. The framework was jointly developed by the ECB and the EU national central banks aiming to help the entities that form the core European financial infrastructure to test and enhance their protection, detection, and response capabilities.
The MFSA had published a feedback statement on 06 February 2024 with regards to the public consultation titled ‘Consultation on the Adoption of the TIBER-EU Framework in Malta’ that was published on 08 March 2023. The consultation was issued to firstly introduce the TIBER-EU framework to interested industry stakeholders as well as the relationship between its requirements and the requirements of DORA on advanced testing based on TLPT. Secondly, this consultation sought to gather the views of industry stakeholders on the adoption of the TIBER-EU framework in Malta.
Following further discussions and consultation with the ECB, the MFSA is adopting the TIBER-EU Framework and will implement, at a national level, the updated version of the TIBER-EU Framework after its official publication. Further information with regards to the implementation of the TIBER-EU Framework in Malta will be provided in due time.
How Can Financial Entities Determine Whether a TLPT is Mandatory?
As stated in Article 26(1) of DORA, financial entities, other than entities referred to in DORA Article 16(1), first subparagraph, and other than microenterprises, which are identified in accordance with paragraph 8, third subparagraph of this Article, shall carry out at least every 3 years advanced testing by means of TLPT.
Moreover, the ESAs has submitted the final draft RTS specifying elements related to TLPT under Article 26(11) of DORA to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. Once published this RTS will provide further information on the criteria for each type of financial entity in scope.
Does a Financial Entity Require Prior Notification from the MFSA Before Initiating a Threat-Led Penetration Test?
Yes, the MFSA shall notify a financial entity to perform a Threat-Led Penetration Test. A financial entity is not able to perform a Threat-Led Penetration Test as defined under DORA, if the notification by the MFSA was not provided.
Are There Specific Guidelines on the Frequency with Which Financial Entities Should Perform Threat-Led Penetration Tests?
Article 26(1) of DORA mentions that financial entities in scope of TLPT shall carry out at least every 3 years advanced testing by means of TLPT. However, based on the risk profile of the financial entity and taking into account operational circumstances, the MFSA may, where necessary, request the financial entity to reduce or increase this frequency.
What Functions Should be in Scope of TLPT Under DORA?
As highlighted in Article 26(2) of DORA, each threat-led penetration test shall cover several or all critical or important functions of a financial entity and shall be performed on live production systems supporting such functions.
How Can a Financial Entity Determine If It Can Make Use of Internal Testers or External Testers When Performing Threat-Led Penetration Tests?
Financial Entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27 of DORA. All Financial entities in scope of TLPT as defined under DORA, except for Credit institutions that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, are able to use internal testers when performing Threat-Led Penetration Tests. In addition, when financial entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests.
Will There be any Specific Guidelines or Standards that Financial Entities Must Follow Regarding the Methodology for Conducting Threat-Led Penetration Tests?
The ESAs has submitted the final draft RTS specifying elements related to TLPT under Article 26(11) of DORA to the European Commission for adoption. Following its adoption in the form of a Commission Delegated Regulation, it will then be subject to scrutiny of the European Parliament and the Council before publication in the Official Journal of the European Union. Once published this RTS will provide further information with regards to the methodology for conducting Threat-Led Penetration Tests.