To support PFS industry in the understanding of the latest regulatory developments about ICT and security requirements, the ABBL (Digital Banking & FinTech Innovation Cluster) and Finance & Technology Luxembourg gathered a panel of experts on Friday 25 September. During the conference, they took a deep dive into the guidelines published by EBA (European Banking Authority) and their transposition by the CSSF in circular 20/750, providing a better understanding of what can be done and how. Here are the key insights of the conference and discussion.
From best practices to guidelines: an important step
The guidelines are nothing else than well-known best practices. “But “best practices” remain recommendations on a voluntary basis, and we have to move to another step as we talk about guidelines”, says Cécile Gellenoncourt, Head of department, Supervision of Information Systems and Support PFS, CSSF.
The regulator at EU level has decided to define and communicate the requirements and expectations with regards to these ICT risk management. “ICT is important”, explains Cécile Gellenoncourt, “and it is also very important to manage the risks that can apply to that, as the risk can be huge for entities. A lot of controls are done through ICT systems, and it has an impact on our day to day way of working. Today more than ever, we are very happy to have a strong ICT system to adapt new constraints.”
An extended scope of application
The guidelines are to be followed by all entities within scope. The previous EBA guidelines on ICT risk assessment (EBA:GL/2017/05) covered only the banking sector and were addressed to supervisors, not entities. It was followed by other EBA guidelines, this time only addressed to PSPs and for payments services. Finally, in February 2019, the EBA published guidelines about IT outsourcing. There was already a big difference as they covered all PFS entities.
The EBA ICT guidelines (EBA/GL/2019/04) is an important step, as it is the first with such a large scope:
- It covers ICT and security risk management in its globality, with all ICT and security risks to which the entity is exposed
- It is addressed to all entities under EBA’s remit
In the transposition of the EBA guidelines in a local framework, within the circular CSSF 20/750, the CSSF decided to extend the scope of the guidelines to specialised PFS, as they are also exposed to IT risks.
The “Principles of proportionality”
The CSSF guidelines apply a notion of proportionality, which means flexibility for both the regulated entities and the regulator itself.
Cécile Gellenoncourt, CSSF: “We have to keep in mind that there is a proportionality principle. It is key, and it can be applied in both directions: some requirements can be implemented with less controls or less granularity, where risky companies will have to apply the proportionality principle the other way around. It applies mainly on the way institutions will comply with the requirements, for example the frequency for certain controls. There is no one solution, of course, and this is certainly not a reason to NOT apply the guidelines.”
The principles of proportionality apply to all entities, taking into account the following characteristics of financial institutions:
- Size, number of clients
- Complexity of the systems
- Use of new technologies
- Internal organisation
- Nature, scope, complexity and risk level of the services and products that the financial institutions provide or intend to provide
Entities will have to do their own risk assessment, looking at those key points and defining controls and measures in line with the level of risks. One example provided by Cécile Gellenoncourt is the frequency of controls: a minimum expectation would be yearly control of access right certifications, and an higher frequency would be expected for risky user accounts or remote accesses.
Another example would be that for a very small entity, the CSSF would expect that they are aware of the common vulnerabilities and are able to patch on a timely manner the most critical ones, while for a bigger entity the CSSF would expect a better cybersecurity, that would enable a more frequent scanning of potential vulnerabilities.
A stronger basis for a single rulebook for ICT operational resilience
The EBA guidelines are only a piece of the European Commission Digital Strategy: the DORA, Digital Operational Resilience for financial services Act. The goal of DORA is to develop a single regulatory and supervisory rulebook for ICT operational resilience in the financial sector.
DORA is expected to cover 4 areas:
- Regulations will require an active role from the management, and for all financial firms in Europe, which is very large
- Incident reporting requirements, with the obligation for entities to log their incidents and to report the major ones to competent entities
- Digital operational resilience testing framework, with a minimum cyber-hygiene and testing of systems
- Oversight of ICT third party providers to the financial institutions, which answers to some concerns from supervisors that it is difficult to negotiate sometimes with critical third party providers, which raises the importance of having an oversight framework to look at those providers at EU level.
The first legislative proposal was published on 24 September, and we should expect a final text being voted by end of first semester in 2022. In the meantime, the NIS (Network and Information Systems) law still applies.