Financial Crime World

Here is the converted article in Markdown format:

Supervisory Authority Warned of ICT-Related Incidents to Ensure Financial Market Stability

======================================================

The Commission de Surveillance du Secteur Financier (CSSF) and European Central Bank (ECB) have been alerted by the supervisory authority about the need for timely notification of ICT-related incidents to keep them informed of such events, enabling them to closely monitor individual incidents and anticipate potential impact and consequences on the financial market.

Circular CSSF 11/504 Replaced with Enhanced Framework

As part of this effort, Circular CSSF 11/504, which required establishments subject to CSSF supervision to report frauds and external computer attacks, will be repealed and replaced by Circular CSSF 24/847. The new circular introduces a modernized ICT-related incident reporting framework for all supervised entities.

Notification Requirements Under NIS Law

According to the Law of May 28, 2019 (NIS Law), the CSSF is also responsible for network and information security for credit institutions, financial market infrastructures, Operators of Essential Services (OES), and Digital Service Providers (DSP) under its supervision. The CSSF Regulation No 24-01 of January 5, 2024 relates to the notification of incidents under the NIS Law and refers to Circular CSSF 24/847 for incident classification and reporting requirements.

Incident Notification Procedures

Supervised entities are required to submit ICT-related incidents to the CSSF within specific time limits, either through the “Major ICT-Related Incident Notification” procedure on the eDesk Portal or via an API interface. A dedicated user guide is available to assist with submissions.

Preventing Double Reporting

To prevent double reporting, incidents falling under multiple regulatory frameworks must be reported only once, according to other relevant regulations such as PSD2 Major Incident Reporting, SSM Cyber Incident Reporting, and Specific Incident Reporting Requirements for Central Securities Depositories.

TIBER-LU: A Joint Testing Framework

The Banque centrale du Luxembourg (BCL) and the Commission de surveillance du secteur financier (CSSF) have jointly adopted TIBER-LU, a testing framework for controlled cyber-attacks aimed at ensuring critical entities’ ability to resist cyber-attacks and contribute to financial sector resilience.

Contact Information

For further information on ICT-related incident reporting and TIBER-LU, please contact tiber@bcl.lu and tiber@cssf.lu.