News and developments
MFSA sends letter to management bodies about its 2024 DORA ambitions
The MFSA has just published an open letter to all Board members and CEOs of financial entities falling within scope of DORA outlining its minimum expectations in relation to their preparedness to the aforementioned upcoming laws.
Considering DORA’s wide scope, this letter is addressed to the management teams of almost all entities authorised by the MFSA including banks; financial institutions; investment firms; crypto-asset service providers; managers of alternative investment funds; insurance and reinsurance undertakings; institutions for occupational retirement provision; and crowdfunding service providers.
DORA imposes on financial entities (as defined therein) a number of obligations with the main aim of inter alia (i) identifying and managing risks associated with information and communications technology (ICT) (ii) classifying, managing and reporting of ICT-related incidents, (iii) ensuring digital operational resilience through testing; and (iv) ensuring oversight and management of risks stemming from third-party ICT providers. Last year, the MFSA had already sent a letter outlining its 2023 expectations including:
Author: James Debono, Luigi Farrugia
-
- To inform the management body, key function holders, and internal controls about DORA;
- To keep abreast with updates in relation to technical standards, and new reporting requirements under DORA;
- To carry out a gap analysis between their current framework and DORA requirements, and to adopt a transition plan, which has been approved by the management body;
- discuss potential compliance costs arising and engage external consultants, and ICT third-party service providers regarding DORA.
-
- started developing a Digital Operational Resilience Strategy;
- started developing a DORA Compliant ICT Risk Management Framework;
- started developing an ICT-related incident management process;
- taken steps in ensuring that the classification and reporting of Major ICT-Related Incidents and the voluntary notification of Significant Cyber Threats are in line with DORA;
- started developing a DORA compliant digital operational resilience testing programme;
- taken steps towards managing their ICT third-party risk including – developed a strategy on ICT third-party risk and a policy on the use of ICT services supporting critical or important functions;
- started developing a Register of Information as required under DORA;
- started aligning their current written contractual arrangements with ICT Third-Party Service Providers to the DORA-mandated key contractual provisions.
Author: James Debono, Luigi Farrugia