What the MFSA Document on ICT Risk and Cybersecurity Means
Go back

What the MFSA Document on ICT Risk and Cybersecurity Means

on 23 February 2021

​The Malta Financial Services Authority issued a document that was the third instalment of The Nature and Art of Financial Supervision series on January 28, 2021. This document shifts gears to focus more primarily on cybersecurity supervision and ICT risk. It does so by first taking a more in-depth look at the background of both sectors and touches on the legal and regulatory provisions and functions for each.


The document highlights the observations made for ICT risk and cybersecurity supervision in addition to laying out the Authority expectations for cross-sectoral priority in 2021 and beyond. MFSA has documented that they expect regulated entities to read this third instalment and take heed of the recommendations when and where applicable.

MFSA Chief Supervision Officer and Chief Executive Officer ad interim, Dr Christopher P. Buttigieg, commented that “ICT is crucial in all aspects of today’s world. The financial services sector is no exception. In 2020 the MFSA set up a cross-sectoral Supervisory ICT Risk and Cybersecurity functions to address risks inherent to this area. Going forward, the Authority has designated ICT Risk and Cybersecurity as one of its priorities for 2021.”


The new document applies to all of the following licensed entities. This is not an exhaustive list and the actual document may be referenced here for further assessment:

● Financial Institutions

● Credit Institutions

● Investment Services

● Pension Service Providers

● Retirement Pension Schemes

● Trading Venues

● Trustee and Other Fiduciaries

● Virtual Financial Assets

● Company Service Providers

● Central Securities Depositories


The regulation proposal is laid out by the following four areas:

● ICT Risk Management - all financial institutions will be required to have a framework in place that is risk-based.

● Incident Reporting - communication will be enhanced.

● Digital Operational Resilience Testing - proportionate and resilient testing.

● Managing of ICT Third-Party Risk - more outsourcing, new oversight tools for supervisors.

● Information Sharing Arrangements - voluntary scheme to encourage communication about threats.


The MFSA plans to continue building upon the foundational groundwork that was initially carried out in 2020. This development brings forth the amplified consideration of the need for ICT Risk and Cybersecurity as the primary focuses for 2021. More terms will be laid out as the year progresses which will help to prioritize key risk areas within the industry. The MFSA plans to educate and carry out these initiatives with a broader awareness of all activities for stakeholders and companies alike. The Authority anticipates the regulation of entities to the content of this third volume document. If regulation is not met, corrective action will be taken when and where appropriate in order to follow the expectations herein laid out by the Authority.

Share this article