The Malta Financial Services Authority (MFSA) has released a consultation document regarding an updated major ICT-related incident reporting process in response to increased cyber security threats, pursuant to paragraph 4.8.11 of the “Guidance Document on Technology, Arrangements, ICT and Security Risk Management, and Outsourcing Arrangement.”
This reporting process will be applicable to all persons authorised by the MFSA, except for credit and financial institutions that are already required to follow other guidelines on the matter or are required to report to the European Central Bank (ECB).
An ICT-related incident is defined as an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity, or authenticity of financial services provided by the financial entity.
Authorised Persons will be required to notify the MFSA where a Major Incident occurs. A Major Incident is deemed to have taken place if the Authorised Person either satisfies one or more of the higher impact levels criteria, or three or more criteria of the lower impact level.
The levels are determined as follows:
| Criteria | Threshold for Lower Impact Level | Threshold for Higher Impact Level |
| Transactions affected (where applicable) | More than 10% of the regular level/number of transactions AND a duration of the incident of more than 1 hour OR A total value of more than €500,000 AND a duration of the incident of more than 1 hour | More than 25% of the regular level/number of transactions OR A total value of more than €15,000,000 |
| Users affected | More than 10% AND a duration of the incident of more than 1 hour OR More than €5,000 AND a duration of the incident of more than 1 hour | More than 25% OR More than €50,000 |
| Service downtime | More than 2 hours | Not applicable |
| Breach of security of network or information systems | Not applicable | Whether any malicious action has compromised the availability, authenticity, integrity or confidentiality of network or information systems (including data) of the Authorised Person |
| Economic impact | Not applicable | More than the maximum of (0.1% Tier-1 Capital €200,000) OR More than €5,000,000 |
| High level of internal escalation | Yes | Yes and a crisis mode (or equivalent) is likely to be triggered |
| Geographical spread | Up to 2 Member States | More than 2 Member States |
| Other authorised persons or relevant infrastructures potentially affected | Yes | Not applicable |
| Reputational impact | Yes | Not Applicable |
In the event that an incident is determined to be a Major ICT-Related Incident, this must be classified as such within 24 hours of the incident being detected. The Authorised Person is then obliged to report to the MFSA in a three-tiered approach:
Initial Report – to be submitted within 4 hours from the incident being labelled as major.
Intermediate Report – to be submitted within 3 working days after the initial report, as a form of an update on the resolution of the incident. This must be done irrelevant of if the incident is resolved or not, and more than one such report may be submitted during various stages of the resolution process.
Final Report – to be submitted within 20 working days after the business is deemed ‘back to normal’, as a final update on the incident.
The feedback period for this consultation document is open till Friday 5th August 2022.
This article was written by Dr Cherise Abela Grech. The author wishes to thank legal trainee Ms Jodie Arpa for her assistance in the drafting of this article.
For more information, please contact Dr Ian Gauci and Dr Cherise Abela Grech.