CSSF publishes Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management has been saved
CSSF publishes Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management
28 August 2020
Context and objectives
On 25 August 2020, the Commission de Surveillance du Secteur Financier (CSSF) published Circular 20/750 on requirements regarding information and communication technology (ICT) and security risk management (“the circular”), implementing in Luxembourg the EBA Guidelines on ICT and security risk management (EBA/GL/2019/04, “the guidelines”). The guidelines establish the requirements for credit institutions, investment firms, payment institutions and electronic money institutions to mitigate and manage their information and communication technology (ICT) risks, aiming to ensure a consistent and robust approach across all European Union (EU) member states. However, the circular extends the scope of the guidelines to include all professionals of the financial sector (PFS).
The guidelines give financial institutions a better understanding of the supervisory expectations for risk management, covering areas such as ICT governance and strategy, ICT risk management frameworks, information security, ICT operations management, ICT project and change management, and business continuity management. The guidelines are principle-based and flexible enough to be applied to all the sector’s relevant institutions.
Key regulatory aspects
Along with implementing the guidelines, the circular:
- Updates the existing CSSF Circular 12/552 to align it with the guidelines;
- Repeals Circular CSSF 19/713, which implemented EBA/GL/2017/17; and
- Includes additional requirement for payment service providers (PSPs) which are required to provide an up-to-date and exhaustive risk assessment to the CSSF annually. The form and deadlines are as follows:
o for credit institutions, this assessment, signed by the management body,
must be submitted as soon as possible after the closing of the financial
year and no later than 30 April of each year;
o for payment institutions and electronic money institutions, this
assessment must be included in a dedicated section of the management
report on internal control, which must be published in accordance with
the requirements set out in Circular CSSF 15/614, no later than the last day
of the third month following the closing date of the financial year.
Find out more about the guidelines in our dedicated article “EBA Guidelines on ICT and security risk management—EBA/GL/2019/04”.
What’s in it for my institution ?
While the circular targets credit institutions, it is nevertheless advisable for any financial institution to make every effort to comply with its provisions in a way that is proportionate to, and takes account of, your financial institutions’ size, internal organization, and the nature, scope, complexity, and riskiness of the services and products that your financial institution provides or intends to provide.
Financial institutions must develop, document and operate strong ICT risk management practices to be able to comply with the guidelines.
The circular came into force on 25 August 2020 and is directly applicable; therefore, the date of the first risk assessment is April 2021.
How can Deloitte help?
We remind you that financial institutions will only be able to comply with the guidelines by developing strong ICT risk management practices.
With this in mind, Deloitte can help organizations improve their ICT risk management practices’ maturity by assessing, designing, and implementing:
- Regulatory compliance assessment—gap assessment against the regulatory requirements outlined in the guidelines.
- ICT and security risk management capability enhancement—ICT and security risk management policies and standards, processes, tools and technologies.
- ICT and security risk reporting and culture—ICT, business and board ICT and security risk reporting using key risk indicators (KRIs) to provide visibility to senior management.
- ICT and security risk assessment—ICT and security risk assessment in the context of digital initiatives or major ICT changes, tailored to the organizations’ risk profile and integrated into the organizations’ risk management framework
- Readiness ICT and security assessment—simulation of competent authorities’ onsite inspection to test the readiness of companies’ processes and practices towards regulatory requirements outlined in the guideline.
Deloitte’s Regulatory Watch Kaleidoscope service helps you stay ahead of the regulatory curve to better manage and plan upcoming regulations.
Subject matter specialists
Frederic de Pauw
Regulatory Watch Kaleidoscope service