CySEC Adopts the EBA’s Guidelines on
ICT and Security Risk Management
The implementation of cyber security compliance measures is a response to increasing Information and Communication Technology (ICT) risks in recent years due to the surge in the digitalisation of the financial sector. Financial institutions are increasingly vulnerable to cyber-attacks, leading to potential systemic impacts. The Guidelines specify the risk management measures that financial institutions must implement to manage their ICT risk.
Following the release of the European Banking Authority’s (EBA) Guidelines on ICT and security risk management (EBA GL 2019/04), Cyprus Securities and Exchange Commission (CySEC) adopted the Guidelines under section 20 of its Prudential Supervision of Investment Firms Law of 2021 as notified in CySEC’s Circular C571.
Cyber security compliance has become a stipulation of the CySEC for Cyprus Investment Firms (CIFs) with the initial capital requirement of €150.000 and €750.000 i.e. firms that fall under sections 9(1), (3) and (4) of the Prudential Supervision of Investment Firms Law of 2021. CIFs that have not already taken the required action to ensure compliance must do by 31 December 2023.
Summary of the
Specifications of the Guidelines
Among others the Guidelines specify the following:
The CIFs Management should ensure that adequate internal controls and governance procedures are in place to combat and mitigate ICT and security risks, with clear roles and responsibilities for each relevant function.
CIFs should ensure that their governance and internal control framework for the ICT and security risks are approved by the Board of Directors.
In accordance with Section 19 of the EBA Guidelines on internal governance, the responsibility for managing ICT and security risks should be delegated to a control function.
The Board of Directors of the CIF should approve an audit plan where the ICT and Security Risk functions are audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks to provide independent assurance of the effectiveness of the CIF’s policies and procedures, in accordance with the requirements of section 22 of the EBA Guidelines on Internal Governance.
The Audit Plan should reflect the inherent ICT and security risks identified in the CIF and should be updated regularly. The first internal audit report regarding compliance of all ICT and security risks related activities should be submitted to the Board of Directors by 30 June 2024 at the latest and should be available to CySEC upon request.
What Actions Must CIFs Take
to Comply with the Guidelines?
CySEC expects that CIFs with the initial capital requirement of €150.000 and €750.000 will take the necessary actions to comply with the guidelines no later than 31 December 2023, if they haven’t already done so. Specifically:
The CIFs should determine their governance and internal control framework for their ICT and security risks that would be approved by their Board of Directors and establish measures to manage and mitigate their ICT and security risks.
The CIFs should assign to their internal audit function to independently review and provide objective assurance of the compliance of all ICT and security related activities and units of the CIF with its policies and procedures, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11).
The Board of Directors of the CIF should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the CIF and should be updated regularly.
How Can FAI Comply Assist CIFs
with Cyber Security Compliance?
FAI Comply has formed a strategic partnership with leading UK cyber security experts to elevate our services and better cater to firms’ cyber security needs in line with Circular C571. Our partners come with a wealth of experience in assisting firms in meeting ISO standards and more. They specialise in providing comprehensive support across various key areas and we are confident that this collaboration brings added value to our existing and future clients.
Our partnership works to assist in the following areas:
Gain access to in-depth forensic analysis and breakdowns, allowing you to understand and implement with precision.
Creating Cyber Roadmaps
Our experts can assist in the development of board-level strategic cyber roadmaps tailored to your organisation's specific needs and goals.
Receive guidance and support in planning robust architecture designs to fortify your cybersecurity infrastructure.
Benefit from hands-on support during the implementation phase, ensuring a smooth and effective execution of your cyber security plans.
Our partners offer dedicated support for investigating potential threats, providing you with the insight needed to proactively address security challenges.
Meet your IT audit requirements for Circular C571.
If your firm requires assistance with cyber security compliance, please contact us to let us know your requirements.
Understanding your needs
At FAI Comply, we tailor each package to suit our clients’ needs, from providing training, support and guidance, to overseeing each and every function and being fully outsourced. This is done through our consulting process, which involves gaining a deep understanding of our client’s needs and goals. From investment firms, payment services providers, straight-through processing models and complex market makers, to portfolio management and investment advice, we are able to put in place and oversee all the necessary requirements of the regulator.