News

MFSA Issues Consultation on reporting Major ICT-Related Incidents

The Malta Financial Services Authority (MFSA) has released a consultation document regarding an updated major ICT-related incident reporting process in response to increased cyber security threats, pursuant to  paragraph 4.8.11 of the “Guidance Document on Technology, Arrangements, ICT and Security Risk Management, and Outsourcing Arrangement.”

This reporting process will be applicable to all persons authorised by the MFSA, except for credit and financial institutions that are already required to follow other guidelines on the matter or are required to report to the European Central Bank (ECB).

An ICT-related incident is defined as an unforeseen identified occurrence in the network and information systems, whether resulting from malicious activity or not, which compromises the security of network and information systems, of the information that such systems process, store or transmit, or has adverse effects on the availability, confidentiality, continuity, or authenticity of financial services provided by the financial entity.

Authorised Persons will be required to notify the MFSA where a Major Incident occurs. A Major Incident is deemed to have taken place if the Authorised Person either satisfies one or more of the higher impact levels criteria, or three or more criteria of the lower impact level.

The levels are determined as follows:

CriteriaThreshold for Lower Impact LevelThreshold for Higher Impact Level
Transactions affected (where applicable)More than 10% of the regular level/number of transactions AND a duration of the incident of more than 1 hour OR A total value of more than €500,000 AND a duration of the incident of more than 1 hourMore than 25% of the regular level/number of transactions OR A total value of more than €15,000,000
Users affectedMore than 10% AND a duration of the incident of more than 1 hour OR More than €5,000 AND a duration of the incident of more than 1 hourMore than 25% OR More than €50,000
Service downtimeMore than 2 hoursNot applicable
Breach of security of network or information systemsNot applicableWhether any malicious action has compromised the availability, authenticity, integrity or confidentiality of network or information systems (including data) of the Authorised Person
Economic impactNot applicableMore than the maximum of (0.1% Tier-1 Capital €200,000) OR More than  €5,000,000
High level of internal escalationYesYes and a crisis mode (or equivalent) is likely to be triggered
Geographical spreadUp to 2 Member StatesMore than 2 Member States
Other authorised persons or relevant infrastructures potentially affectedYes Not applicable
Reputational impactYesNot Applicable

In the event that an incident is determined to be a Major ICT-Related Incident, this must be classified as such within 24 hours of the incident being detected. The Authorised Person is then obliged to report to the MFSA in a three-tiered approach:

Initial Report – to be submitted within 4 hours from the incident being labelled as major.

Intermediate Report – to be submitted within 3 working days after the initial report, as a form of an update on the resolution of the incident. This must be done irrelevant of if the incident is resolved or not, and more than one such report may be submitted during various stages of the resolution process.

Final Report – to be submitted within 20 working days after the business is deemed ‘back to normal’, as a final update on the incident.

The feedback period for this consultation document is open till Friday 5th August 2022.

This article was written by Dr Cherise Abela Grech. The author wishes to thank legal trainee Ms Jodie Arpa for her assistance in the drafting of this article.

For more information, please contact Dr Ian Gauci and Dr Cherise Abela Grech.

Disclaimer: This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.