On the 30th of June, the Malta Financial Services Authority (‘MFSA’) issued a consultation document to invite stakeholders to give their feedback on MFSA’S proposed Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance’).

As reliance on ICT has increased, with industry players making use of both on-premise and cloud-based arrangements and outsourcing their services to third party service-providers, who may themselves be unlicensed, the MFSA understands that such activities may attract adverse risk. Therefore, the MFSA is proposing Guidance to address the need for organisations to have proper governance and control over all technology arrangements, as well as having proper outsourcing arrangements and an effective cybersecurity framework.

The Guidance is intended for MFSA licensees across several sectors, such as: VFAs, corporate service providers, trustees and fiduciaries, insurance intermediaries, investment services licence holders, trading venues and pension service providers.

The Guidance is based on four high level principles: Proportionality, Principles-based consistency of outcomes, Information Assurance (IA) in Technology Arrangements and Approach to cloud computing. The MFSA proposes a set of definitions specific to the Guidance and addresses the following matters:

  1. Technology Arrangements – here a different definition to Innovative Technology Arrangements as defined in the VFA and Distributed Ledger Technology framework is adopted. The MFSA address the use of cloud computing; cloud computing service models; cloud computing deployment models; shared responsibilities for different cloud service models; isolation in virtualised environments; monolithic, microservices and serverless architectures; unrestricted audit, on-site and remote access, and information gathering and investigations; security monitoring, DLP, eDiscovery and forensic capabilities; consumption of cloud services over the internet; and artificial intelligence and machine learning.
  2. ICT and Security Risk Management – the MFSA outline measures to be taken when managing risks associated with Technology Arrangements, their operations and data therein. Furthermore, this section of the Guidance addresses: ICT strategy, ICT Risk Management, Information Security, ICT Operations Management and ICT Project and Change Management.
  3. Outsourcing Arrangements – this section of the Guidance addresses internal governance arrangements to be in place when MFSA licensees outsource critical or important functions in a Technology Arrangement to third parties. Furthermore, this section of the Guidance provides for the assessment of outsourcing arrangements; sound governance arrangements including an outsourcing policy, the management of conflicts of interest, business continuity planning, internal audit function expectations, and documentation requirements; and provides guidance on the outsourcing process including pre outsourcing analysis, the contractual phase, monitoring and oversight of outsourcing arrangements, and exit strategies.

The MFSA’s proposed Guidance is of a principle-based cross-sectoral nature, drawing from standards established by several European bodies, however the Guidance may be superseded by more sector specific laws, regulations and guidelines.

The consultation period closes on the 28th of August 2020 and any feedback is to be sent to the Supervisory ICT Risk and Cybersecurity function within MFSA on sirc@mfsa.mt. Following the end of the consultation period, the MFSA plan to carry out thematic desk-based reviews on sectoral basis, on key aspects of the Guidance Note as part of its off-site supervision.

Update written by Dr Bernice Saliba.

For more information please contact Dr Ian Gauci and Dr Terence Cassar.

This article is not intended to impart legal advice and readers are asked to seek verification of statements made, from an advocate or law firm, before acting on them.

Disclaimer This article is not intended to impart legal advice and readers are asked to seek verification of statements made before acting on them.
Skip to content