Here is the article in markdown format:
Financial Institutions Face Growing Risk of ICT-Related Incidents
As the financial sector continues to rely heavily on information and communication technology (ICT), institutions are becoming increasingly vulnerable to a range of ICT-related incidents, including system failures, intrusions, and other disruptions.
These incidents can have significant operational, financial, and reputational impacts on affected institutions, and may even compromise the entire ecosystem. In light of these risks, regulatory bodies are stepping up efforts to enhance reporting requirements and incident response frameworks.
New Circular Sets Out Enhanced ICT-Related Incident Reporting Framework
The Commission de Surveillance du Secteur Financier (CSSF) has issued a new circular, CSSF 24/847, which introduces an enhanced ICT-related incident reporting framework for all supervised entities. The circular replaces the previous requirement to report frauds and incidents due to external computer attacks under Circular CSSF 11/504.
Key Changes
- Institutions will be required to submit notifications of ICT-related incidents within specific time limits using a dedicated online portal or API interface provided by the CSSF.
- A user guide is available to assist entities with the submission process.
- Incidents falling under multiple reporting frameworks must be reported only once, in accordance with other regulatory obligations.
Regulatory Obligations
The circular specifies that incidents must be reported according to the following regulatory obligations:
- PSD2 Major Incident Reporting: Payment service providers are required to report major operational or security incidents to the CSSF.
- SSM Cyber Incident Reporting: Significant institutions must report significant cyber incidents to the European Central Bank (ECB).
- Specific Incident Reporting Requirements for Central Securities Depositories: These entities must inform the CSSF of operational incidents and communicate the results of post-incident reviews.
TIBER-LU Framework
In addition, the Banque Centrale du Luxembourg (BCL) and the CSSF have jointly adopted the TIBER-LU testing framework for controlled cyber-attacks. This framework aims to help critical entities in the financial sector resist cyber-attacks and ensure their own resilience, as well as that of the financial sector as a whole.
Background
The adoption of TIBER-LU is part of efforts to enhance cybersecurity standards across the financial sector, building on the European Central Bank’s (ECB) publication of the TIBER-EU framework in 2018. The TIBER-EU framework sets out a harmonised approach for conducting threat-led penetration tests that mimic real-life cyber-attacks.
Contact Information
For more information on TIBER-LU, please contact: