Latest Insights on ICT and Cybersecurity Supervision: A Focus on DORA Compliance

The Malta Financial Services Authority (MFSA) has recently published the eleventh volume of “The Nature and Art of Financial Supervision,” focusing on Supervisory ICT Risk and Cybersecurity.

This comprehensive document outlines the evolving landscape of ICT risk management and cybersecurity within the financial sector, emphasizing the importance of digital operational resilience.

Key Highlights:

1. Supervisory Approach and Priorities:

• The MFSA has adopted an outcome-based supervision model, prioritising ICT risk and cybersecurity as critical components of financial stability.
• The document details the five pillars of the Digital Operational Resilience Act (DORA), which are essential for ensuring robust ICT risk management and cyber resilience.
• The MFSA SIRC Function has evolved its supervisory efforts to align with the DORA Regulation. Key supervisory priorities include:
  • DORA Preparedness.
  • Assessing entities’ risk management and compliance functions, focusing on ICT risk and cybersecurity.
  • Evaluating incident management preparedness.
  • Ensuring proper governance of ICT third-party providers.

2. Incident Reporting and Management:

• The MFSA emphasizes the importance of timely reporting and effective management of major ICT-related incidents and significant cyber threats, as it does for any other procedure.
• The framework includes detailed procedures for incident notification and management, aiming to mitigate the impact of cyber threats on financial institutions.
• Common issues highlighted during supervisory efforts include:
  • High awareness of the DORA Regulation, but concrete actions like planning and gap analysis are still in progress.
  • Inadequate measurement of control effectiveness and adherence to internal policies.
  • Need for improved incident management processes and ICT third-party contractual arrangements.

3. Cyber Resilience Exercises (CREs):

• The MFSA conducts regular CREs to assess and enhance the cyber resilience of financial entities.
• These exercises focus on various levels, including internal, micro, and macro-level assessments, to ensure comprehensive preparedness against cyber threat

4. Coordination and Information Sharing:

• The document highlights the importance of coordination frameworks and information-sharing arrangements to foster collaboration among financial institutions and supervisory authorities.
• In addition to regulatory requirements, there is a voluntary information-sharing agreement to enhance the wider industry’s understanding of their threat exposure. Prevalent threats and infiltration strategies include:
  • Social engineering techniques such as phishing, smishing, and clone websites.
  • MFA Fatigue or MFA Spamming attacks.
  • System, software, or application weaknesses and failures.
  • Vulnerabilities in third-party systems.

5. On-Going Supervision and Thematic Reviews:

• Regular supervisory meetings and “Dear CEO” letters are part of the ongoing engagement with financial institutions to ensure compliance with DORA and other relevant regulations.
• Financial entities must maintain a Register of Information (RoI) for all ICT third-party providers. The ESAs will designate critical ICT third-party providers (CTPPs) based on the RoIs, which will be subject to an oversight framework. Additionally, selected financial entities will undergo advanced threat-led penetration testing aligned with the TIBER-EU framework. The MFSA is working on the national implementation of DORA TLPT, which is, in most cases, aligned with the TIBER framework.
• The MFSA will continue to conduct on-site inspections and thematic reviews to continuously monitor and enhance ICT risk management practices.

The MFSA’s latest publication underscores the critical role of ICT risk and cybersecurity supervision in maintaining financial stability. By aligning with DORA’s requirements, financial institutions can enhance their digital operational resilience and safeguard against evolving cyber threats. For organizations seeking support on DORA compliance, ARQ Group offers guidance and tailored solutions to navigate this complex regulatory landscape.

For further assistance, reach out to Alex Konewko, our Director – Risk Advisory, and Billy Smith, our Compliance Tech Specialist.