MFSA Report Analysis

MFSA Report Analysis Cybergate International

MFSA Report Analysis


MFSA Guidance Report – Salient Points

During Q4 of 2020 the Malta Financial Services Authority released an official report about Information and Communication Technology (ICT). The paper also included extensive sections about Security and Risk Management.

The guidance document, which has its roots in various European and international sources, encapsulates MFSA’s expectations from regulated entities and whilst some aspects are already incorporated in specific rule books it is expected that in the near future more features of this guidance document will feature in the sector specific rules.

The review was carried out by Cybergate’s CTO, Francesco Mifsud. The below was reviewed:

  • Guidance on technology arrangements, ICT and security risk management and outsourcing arrangements, by Malta Financial Services Authority.
Technology is at the core of the financial services industry, acting as an enabler for innovation, shorter time-to-market, improved customer experience, operational efficiencies and regulatory compliance.

This is a summary with highlights of the key points related to cyber security.

MFSA’s ICT and Security Risk Management – The Salient points

The most important points from the Cybersecurity section (Ref: Section 4 ‘ICT and Security Risk Management’, Pages 35-59, Sub Section 6 and 7) in MFSA’s guidance document include:-

  • Training for staff at least annually
  • Implementation of security measures to include:
    • Information security reviews, assessments and testing
    • Information security training and awareness
  • The information security testing framework should ensure that tests:
    • are carried out by independent testers with sufficient knowledge, skills and expertise, e.g., holding certification in information security assessment, in testing information security measures and not involved in the development of the information security measures;
    • include vulnerability scans and penetration tests (including threat led penetration testing where necessary and appropriate) adequate to the level of risk identified with the business processes and systems.
  • Vulnerability assessments and penetration testing shall be performed by an independent party at least on an annual basis. Non-critical systems should be tested regularly on a risk- based approach, but at least every three years instead of annually provided such non-critical systems are logically isolated from critical systems and there is no interdependence or information exchange between any of the non- critical systems and critical systems.
  • Staff members occupying key roles receive targeted information security training at least annually.
  • Establish and implement periodic security awareness programmes to educate their staff, including the Management Body, on how to address information security risks.

The official documentation emphasises the importance of cyber security testing and awareness training of workforces. We believe that Cybersecurity would eventually form an integral part of wider compliance requirements and in this context we urge organisations to start planning and reviewing their systems. The publishing of the frameworks is definitely a step in the right direction and Cybergate joins in supporting this initiative as it reflects the company’s vision and ethos.

The MFSA document can be found here as a PDF document

    We are here to help


    francesco mifsud cybergate your cyber security partner
    Francesco Mifsud
    [email protected]

    I live and breathe cyber security and everything else in the discipline. With around a decade of experience in the industry I have had the opportunity to develop skills in penetration testing, cloud security, reverse engineering & exploit development, application security engineering, management and organisation-wide cyber security strategy. I hold a well-rounded set of security certifications such as OSCP, eWPTX and CISSP and have delivered training & workshops at some of the most prestigious hacking conferences such as DEF CON, BRU CON, BSides London and BSides Manchester.