Enhancing Digital Resilience: Key Insights from MFSA’s Latest ICT and Cybersecurity Supervision Report

As the financial services sector continues to rely on digital tools and processes, exposure to Information and Communication Technology (ICT) risks is increasing. To address these risks, the Malta Financial Services Authority (MFSA) has taken a proactive approach, recently releasing its latest edition of 'The Nature and Art of Supervision'. This publication, focusing on the Supervisory ICT Risk and Cybersecurity (SIRC) Function, provides valuable insights into how the Authority is strengthening the digital resilience of Malta’s financial sector.

Key Regulatory Expectations for Licencees: Preparing for DORA

With the forthcoming Digital Operational Resilience Act (DORA) set to reshape the regulatory landscape across the EU, the MFSA is emphasising the need for financial institutions to strengthen their ICT frameworks. DORA will require all financial entities to maintain robust resilience against ICT-related risks, and licencees are expected to proactively prepare for this shift.

The MFSA is calling on all authorised persons to ensure they have comprehensive plans in place to address potential ICT disruptions. This includes solidifying risk management practices, establishing clear incident reporting procedures, and ensuring compliance with DORA’s stringent requirements.

Core Areas of Focus for Licencees

The MFSA has outlined specific areas where licencees should concentrate their efforts to meet the expectations of ICT and cybersecurity supervision:

• ICT Risk Management : Licencees are expected to develop a well-structured ICT risk management framework that identifies, assesses, and mitigates risks to their systems. This involves not just protecting critical infrastructure but also ensuring continuity in service provision. Strong governance, accountability, and monitoring of ICT risks should be central to a firm’s operational strategy.
• Incident Reporting and Management: Financial institutions must establish clear processes for detecting, managing, and reporting ICT incidents. The MFSA requires timely notification of any cybersecurity breaches or disruptions. Effective incident management plans are essential to mitigate damage and maintain client trust in case of a significant ICT-related event.
• Third-Party ICT Risk: The use of third-party ICT service providers introduces additional risk, and licencees are expected to implement thorough due diligence and monitoring processes. The MFSA stresses that financial entities must ensure that their third-party providers meet the required security and operational resilience standards, as these providers are integral to the overall stability of the institution’s operations.
• Cybersecurity Maturity: The MFSA is encouraging all licencees to elevate their cybersecurity capabilities. This involves regularly testing their systems, such as through threat-led penetration testing, to identify vulnerabilities and ensure that cybersecurity defenses are strong. Building an adaptive security strategy that can evolve with emerging threats is crucial.
• DORA Compliance : With DORA’s implementation on the horizon, the MFSA expects licencees to actively prepare for compliance. This includes reviewing existing ICT risk management frameworks, upgrading systems where necessary, and ensuring that incident reporting and management processes meet the new regulatory standards. Authorised persons should be conducting internal assessments now to ensure they are ready to comply with the detailed requirements of the new legislation.

Meeting MFSA Expectations is Key to a Resilient Future

As the financial services sector faces increasing ICT risks, the MFSA is placing greater emphasis on digital operational resilience. Licencees must ensure that their ICT frameworks are robust and capable of addressing these risks, particularly as new regulations like DORA come into effect. By focusing on key areas such as risk management, incident reporting, and third-party oversight, financial institutions can strengthen their resilience and remain compliant with MFSA’s standards.

For licencees seeking guidance, BDO Malta stands ready to assist in aligning with these evolving expectations, providing the expertise and support necessary to build a secure and future-ready operational framework.

How Can BDO Malta Assist?

With the evolving landscape of regulations and ICT risks, financial institutions benefit from expert support to strengthen their digital resilience. BDO Malta is uniquely positioned to provide this support, offering a range of services that help financial institutions meet regulatory standards and enhance their operational security.

BDO Malta’s services include:

• DORA Readiness Assessments : Assisting financial firms in evaluating their preparedness for DORA and addressing any gaps in their ICT risk management frameworks.
• Cybersecurity Advisory Services : Delivering tailored strategies to improve cybersecurity posture, from risk assessments to incident response planning and ongoing monitoring.
• ICT Third-Party Risk Management: Supporting organizations in assessing and managing risks associated with outsourcing ICT services, ensuring compliance with regulations and safeguarding against vulnerabilities.
• Penetration Testing and Vulnerability Assessments: Providing advanced penetration testing to identify and rectify weaknesses in an organization’s digital infrastructure.
• Ongoing Regulatory Support: Offering expert guidance on regulatory compliance to help financial institutions stay ahead of regulatory developments and maintain strong risk management practices.

By partnering up with BDO Malta, financial institutions can enhance their digital resilience, ensuring they meet regulatory standards while building a secure and sustainable operational foundation.

Get in touch with our team at [email protected] .

?