CySEC Circular C571 – ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)

MNK Risk Consulting > Regulatory Developments > CySEC Circular C571 – ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)

Relevant to: Cyprus Investment Firms (‘CIFs’)

Circular C571 (“the Circular”) dated 02/05/2023 draws the attention to the EBA’s Guidelines on Information and Communication Technology (“ICT”) and security risk management and for certain actions to ensure compliance with the Guidelines.

Through Circular 571, CySEC wishes to bring the attention of the CIFs the Guidelines on ICT and security risk management (the ‘Guidelines’). It is noted that the Guidelines were published on November 29, 2019 by the European Banking Authority (EBA).

The key takeaways from CySEC’s C571 circular can be found below:

  • CySEC has adopted the Guidelines by incorporating them into its supervisory practices and regulatory approach.
  • The Guidelines apply to CIFs that fall under sections 9(1), (3) and (4) of the Prudential Supervision of Investment Firms Law of 2021, ie. with initial capital requirement of €150.000 and €750.000.
  • The Guidelines address ICT and security risks that have increased in recent years. This is due to the increasing digitalisation of the financial sector and the increasing interconnectedness through telecommunications channels (internet, mobile and wireless lines, and wide area networks) and with other financial institutions and third parties. This renders financial institutions’ operations vulnerable to external security attacks. Particularly, the Guidelines specify the risk management measures that financial institutions must take to manage their ICT and security risks for all activities.
  • Among others the Guidelines specify the following:
    • The management body of a CIF should ensure that it has adequate internal governance and internal control framework in place for its ICT and security risks. The management body should set clear roles and responsibilities for ICT functions, information security risk management, and business continuity, including those for the management body and its committees.
    • A CIF should assign the responsibility for managing and overseeing ICT and security risks to a control function, adhering to the requirements of Section 19 of the EBA Guidelines on internal governance (EBA/GL/2017/11).
    • The CIF’s governance, systems and processes for its ICT and security risks should be audited on a periodic basis by auditors with sufficient knowledge, skills and expertise in ICT and security risks to provide independent assurance of their effectiveness to the management body.

CySEC expects that CIFs[1] will take the necessary actions to ensure compliance with the Guidelines the soonest possible, and not later than 31.12.2023, if they haven’t already done so.

  • Specifically:
    • The CIFs should determine their governance and internal control framework for their ICT and security risks that would be approved by their Board of Directors and establish measures to manage and mitigate their ICT and security risks.
    • The CIFs should assign to their internal audit function to independently review and provide objective assurance of the compliance of all ICT and security related activities and units of the CIF with its policies and procedures, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11).
    • The Board of Directors of the CIF should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the CIF and should be updated regularly.

The first internal audit report regarding the review of the CIFs’ compliance of all ICT and security related activities with its policies and procedures and with external requirements should be submitted to their Board of Directors by 30.06.2024, the latest.

Should you need more information or assistance with implementation of the Guidelines, you can email us at info@mnkriskconsulting.com or call us at 25-508201.


[1] Initial capital requirement €150.000 and €750.000