Financial Crime World

MFSA Warns of ICT Outsourcing Risks and Urges Financial Entities to Enhance Cybersecurity Measures

Valletta, Malta - The Malta Financial Services Authority (MFSA) has sounded the alarm on the risks associated with ICT outsourcing arrangements and inadequate cybersecurity measures among financial entities.

In its latest report, the MFSA noted that some licence holders have failed to conduct thorough due diligence on third-party providers (TPPs), leading to significant overreliance on outsourcing services. The Authority also highlighted instances where outsourcing policies were insufficient or neglected ongoing assessments of TPP performance.

Warning Signs

  • Inadequate business continuity management practices among financial entities
  • Failure to conduct thorough due diligence on third-party providers
  • Insufficient outsourcing policies and neglecting ongoing assessments of TPP performance
  • False sense of security in intra-group setups
  • Lack of proactive approach to cybersecurity and ICT risk management

Recommendations

To address these concerns, the MFSA has issued several recommendations to financial entities:

  • Conduct thorough due diligence on third-party providers
  • Establish adequate business continuity management practices
  • Perform regular testing of procedures
  • Increase training and awareness at all levels
  • Ensure clear roles and responsibilities are in place
  • Manage vulnerabilities efficiently and effectively
  • Audit ICT and Cybersecurity regularly
  • Test the security of the ICT infrastructure regularly

Supervisory Activities

The MFSA plans to build on its 2020 work by retaining ICT Risk and Cybersecurity as a cross-sectoral area of focus in 2021. The Authority will:

  • Intensify supervisory activities
  • Develop an ICT and Cybersecurity risk model for supervision
  • Conduct a comprehensive thematic desk-based review on ICT Risk and Cybersecurity matters

Education and Awareness

The MFSA also plans to engage with the industry and carry out education and awareness activities for stakeholders. The report emphasizes that ICT risk and cybersecurity go beyond supervision and regulatory compliance, and financial entities must take ownership of their cybersecurity and adopt a proactive approach to mitigate risks.

Conclusion

Financial entities are expected to note the contents of this publication and take corrective action, where appropriate, to meet the MFSA’s expectations.