MFSA Sets Cyber Risk and Security as One of Its Top Priorities

What does it mean for you?

tl1.pngJust before the Christmas break, the Malta Financial Services Authority (MFSA) delivered on their commitment to set a baseline for ICT and Security Risk Management. A chunky read for the days at home during the festive season. MFSA the Authority to ensure that it can continue to exercise its oversight across the relevant sectors.  You can read the original document here.

The Guidelines apply to all sectors of industries licensed by the MFSA. This publication has therefore a very wide impact on the businesses.

Let’s be clear, these are not regulations and therefore are not subject to fines due to non-compliance. Yet the implications are significant and this for 2 reasons:

  • Setting the Goalpost

A baseline has been established. One that is applicable to not only technologically advanced companies such as those dealing in blockchain technology, but also to small Tied Insurance Intermediaries (TIIs), Pension Funds and Corporate Service Providers. If any kind of investigation is kicked-off by the MFSA, the auditor is bound to also verify your adherence to the Guidelines. Failure to prove such will automatically pre-judicate the rest of the investigation and is expected to lead to harsher penalties.

  • Setting the Scene

These Guidelines are not intended to be a means to an end. The European Union (EU) is working on a draft regulation that will make such cybersecurity and risk measures mandatory within the financial services sector. The MFSA are active participants of this drafting process. Indicators are that the publication will happen over the next 12 months. That’s soon. Very soon. These Guidelines are therefore allowing companies to start working on the subject area and preparing themselves for tighter regulation and control.


The Guidelines are based on fundamental principles that make them applicable to companies of any size, from 3-person family TIIs to the larger companies. The guidelines are principles-based and do not favour one type of technology over another be it on-premises, Cloud or any other as long as compliance obligations can be met. There is a core understanding that risk will vary according to the size of the business and that the control measures will likewise and proportionately move. As a result, a consistency of outcomes (a strong security posture) is always expected. This is a crucial dimension, for it implies that small companies are not exempt from security and risk management. They still need to perform a risk-based assessment. They still need to identify critical assets and apply improved security controls. They still need to establish and maintain an operational governance framework that must include ICT Governance and Risk Mitigation as an intrinsic part.

There is also a message which explains that businesses are always responsible for elements of security and risk management, even in solutions based on Software as a Service (SaaS) such as XERO, GMAIL and Office365. The diagram below is quoted by the guidelines to demonstrate such concepts.


Driving Business Value

Ignoring the requirements set out in these guidelines is akin to digging one’s head into the proverbial sand. Change in regulation is happening. Whether one addresses the issue or not will determine how long you can survive. If you rush it or consider it as a tick-in-the-box exercise, this will drain time and money. Done properly, however, security and risk management can be an opportunity to drive business value, cut costs and hedge against disaster.

Our experience in the field has touched upon many elements which you will need in your implementation journey. Below is a list of services that we have already offered but every engagement will be bespoke since, as the Guidelines themselves highlight, every business has differing priorities and needs.