31st October
Reporting of Major ICT-Related Incidents
On 13 October 2022 the MFSA published a Circular on the Reporting of Major ICT-Related Incidents (the “Circular”).
The Circular explains that after a public consultation process which began on 12 July 2022 the MFSA issued:
- A Major ICT-Related Incident Reporting Process document (the “Process Document”);
- Templates for Initial, Intermediate and Final Major ICT-Related Incident Reporting (the “Templates”); and
- User Guidelines for submitting Major ICT-Related Incident Reporting to the MFSA (the “User Guidelines”).
The MFSA expects all Authorised Persons[1] (apart from credit institutions, payment service providers, electronic money institutions and account information service providers) to report Major ICT-Related Incidents[2], whether of an operational or security nature, to the Authority, in line with the Process Document, using the provided Templates, and by adhering to User Guidelines.
The MFSA cautions that major ICT-related incident reporting will eventually have to be aligned with the Digital Operational Resilience Act.
The Circular, the Process Document (including the Templates and the User Guide) apply from 13 October 2022 and supersede the Circular on Cybersecurity – Threat Mitigation which was published on 25 September 2019.
[1] Any person that is licensed, registered or otherwise authorised by the MFSA. The term ‘Licence Holder’ is also used by the MFSA.
[2] An ICT-Related Incident that has a high adverse impact on the network and information systems that support critical functions of the Authorised Person (adapted from the latest available text of Digital Operational Resilience Act (not yet in force at time of publication). A Major ICT-Related Incident meets the thresholds for the determination of Major ICT-Related Incidents in Annex A of the Process Document.
Linked Services
AdvisoryLinked Industries
Technology, Media & TelecommunicationsLinked Services
AdvisoryLinked Industries
Technology, Media & Telecommunications