On the 30th of June, the Malta Financial Services Authority (‘MFSA’) issued a consultation document to invite stakeholders to give their feedback on MFSA’S proposed Guidance on Technology Arrangements, ICT and Security Risk Management and Outsourcing Arrangements (‘Guidance’).
As reliance on ICT has increased, with industry players making use of both on-premise and cloud-based arrangements and outsourcing their services to third party service-providers, who may themselves be unlicensed, the MFSA understands that such activities may attract adverse risk. Therefore, the MFSA is proposing Guidance to address the need for organisations to have proper governance and control over all technology arrangements, as well as having proper outsourcing arrangements and an effective cybersecurity framework.
The Guidance is intended for MFSA licensees across several sectors, such as: VFAs, corporate service providers, trustees and fiduciaries, insurance intermediaries, investment services licence holders, trading venues and pension service providers.
The Guidance is based on four high level principles: Proportionality, Principles-based consistency of outcomes, Information Assurance (IA) in Technology Arrangements and Approach to cloud computing. The MFSA proposes a set of definitions specific to the Guidance and addresses the following matters:
The MFSA’s proposed Guidance is of a principle-based cross-sectoral nature, drawing from standards established by several European bodies, however the Guidance may be superseded by more sector specific laws, regulations and guidelines.
The consultation period closes on the 28th of August 2020 and any feedback is to be sent to the Supervisory ICT Risk and Cybersecurity function within MFSA on sirc@mfsa.mt. Following the end of the consultation period, the MFSA plan to carry out thematic desk-based reviews on sectoral basis, on key aspects of the Guidance Note as part of its off-site supervision.
Update written by Dr Bernice Saliba.
For more information please contact Dr Ian Gauci and Dr Terence Cassar.
This article is not intended to impart legal advice and readers are asked to seek verification of statements made, from an advocate or law firm, before acting on them.