Circular C571 of the Cyprus Securities and Exchange Commission based on the ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)
What EBA guidelines and Circular C571 are about?
The Cyprus Securities and Exchange Commission (the “CySEC”), on 2nd May 2023, issued circular C571, with regards to the Guidelines on ICT and security risk management (the ‘Guidelines’), as published on November 29, 2019 by the European Banking Authority (EBA).
CySEC has adopted the Guidelines by incorporating them into its supervisory practices and its regulatory approach.
The scope of the Guidelines is to address ICT and security risks that have increased in recent years, due to the increasing digitalisation of the financial sector and the growing interconnectedness through telecommunications channels (internet, mobile and wireless lines, and wide area networks) and with other financial institutions and third parties.
While the Guidelines recognise that cybersecurity should be part of a financial institution information security risk management, as a whole, the Guidelines in particular address the risk management actions that financial institutions must take to manage their ICT and security risks for all activities.
Circular C571 and its applicability
CySEC has adopted the Guidelines, which apply to CIF's that fall under sections 9(1), (3) and (4) of the Prudential Supervision of Investment Firms Law of 2021, i.e. with initial capital requirement of €150.000 and €750.000.
CIF’s compliance deadline?
The CIF's are required to take the necessary actions to ensure compliance with the Guidelines the soonest possible, and not later than 31.12.2023.
Relevant internal audit reports should be submitted to the Board of Directors by 30.06.2024 and should be available for submission to CySEC upon request.
What needs to be done?
- CIF's should determine their governance and internal control framework for their ICT and security risks and establish measures to manage and mitigate their ICT and security risks.
- CIF's should review and provide objective assurance of the compliance of all ICT and security related activities and units of the CIF with its policies and procedures.
- CIF's should approve the audit plan, including any ICT audits and any material modifications thereto, by 31.12.2023.
How can we help you comply?