MFSA Guidance Report – Salient Points

During Q4 of 2020 the Malta Financial Services Authority released an official report about Information and Communication Technology (ICT). The paper also included extensive sections about Security and Risk Management.

The guidance document, which has its roots in various European and international sources, encapsulates MFSA’s expectations from regulated entities and whilst some aspects are already incorporated in specific rule books it is expected that in the near future more features of this guidance document will feature in the sector specific rules.

The review was carried out by Cybergate’s CTO, Francesco Mifsud. The below was reviewed:

• Guidance on technology arrangements, ICT and security risk management and outsourcing arrangements, by Malta Financial Services Authority.

This is a summary with highlights of the key points related to cyber security.

MFSA’s ICT and Security Risk Management – The Salient points

The most important points from the Cybersecurity section (Ref: Section 4 ‘ICT and Security Risk Management’, Pages 35-59, Sub Section 6 and 7) in MFSA’s guidance document include:-

• Training for staff at least annually
• Implementation of security measures to include:
  • Information security reviews, assessments and testing
  • Information security training and awareness
• The information security testing framework should ensure that tests:
  • are carried out by independent testers with sufficient knowledge, skills and expertise, e.g., holding certification in information security assessment, in testing information security measures and not involved in the development of the information security measures;
  • include vulnerability scans and penetration tests (including threat led penetration testing where necessary and appropriate) adequate to the level of risk identified with the business processes and systems.
• Vulnerability assessments and penetration testing shall be performed by an independent party at least on an annual basis. Non-critical systems should be tested regularly on a risk- based approach, but at least every three years instead of annually provided such non-critical systems are logically isolated from critical systems and there is no interdependence or information exchange between any of the non- critical systems and critical systems.
• Staff members occupying key roles receive targeted information security training at least annually.
• Establish and implement periodic security awareness programmes to educate their staff, including the Management Body, on how to address information security risks.

The official documentation emphasises the importance of cyber security testing and awareness training of workforces. We believe that Cybersecurity would eventually form an integral part of wider compliance requirements and in this context we urge organisations to start planning and reviewing their systems. The publishing of the frameworks is definitely a step in the right direction and Cybergate joins in supporting this initiative as it reflects the company’s vision and ethos.

The MFSA document can be found here as a PDF document