EBA Guidelines on ICT and Security Risks Management (EBA/GL/2019/04)
With the publication of Circular C571, CySEC (Cyprus Securities Exchange Commission) wishes to draw all CIFs who have the initial capital of €150,000.00 and €750,000.00 attention to the Prudential Supervision of Investment Firms Law of 2021, the Guidelines on ICT and security risk management (the ‘Guidelines’).
Information and Communication Technology (ICT) risks have increased in recent years due to the surge in digitalization of the financial sector, thus rendering financial institutions vulnerable to cyber-attacks, the Guidelines specify the risk management measures that financial institutions must implement in order to manage their ICT risk.
Among others the Guidelines specify the following:
The Cyprus Investment Firm’s (CIFs) Management should ensure that adequate internal controls and governance procedures are in place to combat and mitigate ICT and security risks, with clear roles and responsibilities for each relevant function.
CIFs should ensure that their governance and internal control framework for the ICT and security risks are approved by the Board of Directors.
In accordance with Section 19 of the EBA Guidelines on internal governance, the responsibility for managing ICT and security risks should be delegated to a control function.
The Board of Directors of the CIF should approve an audit plan where the ICT and Security Risk functions are audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks in order to provide independent assurance of the effectiveness of the CIF’s policies and procedures, in accordance with the requirements of section 22 of the EBA Guidelines on Internal Governance.
The Audit Plan should reflect the inherent ICT and security risks identified in the CIF and should be updated regularly. The first internal audit report regarding compliance of all ICT and security risks related activities should be submitted to the Board of Directors by 30th June 2024 at the latest and should be available to CySEC upon request.
CIFs are expected to take appropriate action to ensure compliance with the Guidelines as soon as possible but nevertheless no later than 31st December 2023.
For further clarification or assistance with matters relating to the content of this article, please contact us for assistance and information.
By Andie Henderson, Legal & Compliance Associate, Financial Associates International (FAI Comply)