Communiqué regarding new reporting procedure for ICT-related incident reporting according to Circular CSSF 24/847
As indicated in our communiqué published on 5 January 2024 related to ICT-related incident reporting, we publish today further guidance related to the submission channels and procedure to be followed when submitting an ICT-related incident notification under Circular CSSF 24/847.
We remind Supervised Entities that this circular enters into force on 1 April 2024 for the Supervised Entities as defined in point 2 a) to d) and k) to p) in Section 1.1., and on 1 June 2024 for the Supervised Entities as defined in point 2 e) to j) in Section 1.1. and on these dates repeals and replaces Circular CSSF 11/504 on “Frauds and incidents due to external computer attacks”. Subsequently, on these dates the new reporting methods and procedures described here below come into effect.
Notifications shall be submitted via one of the two below methods:
- Dedicated procedure on CSSF eDesk Portal
Notifications shall be submitted via the procedure “Major ICT-related Incident Notification”. The procedure is only accessible to the dedicated user role “IT Incident Notifier”. This role must be assigned by the “Advanced User” of the Supervised Entities in eDesk before ICT-related incident notifications can be accessed and submitted. The role shall be attributed to the person/s most suitable to draft and submit the notification to the CSSF, nevertheless no specific sign-off is required. For further details on how to assign this role refer to the on the eDesk Portal homepage.
- Application Programming Interface (“API”) solution S3
Notifications can also be submitted via an API solution based on the use of a structured exchange file (.json format) to be transmitted to the CSSF via the S3 (“simple storage service”) protocol, using the “IT Expert” role. This role must be assigned by the “Advanced User” of the Supervised Entities in eDesk before ICT-related incident notifications can be submitted through S3.
In terms of logistics, the “IT Incident Notifier” as well as the “IT Expert” must have an eDesk account, which requires a LuxTrust authentication.
To avoid connection issues when the procedure becomes mandatory on 1 April and 1 June respectively, the CSSF invites all Supervised Entities to ensure they have set-up the relevant eDesk accounts and enrolled as necessary.
Procedure for submission of major ICT-related Incident Notification
To help Supervised Entities with the submission of their notifications a detailed user guide on Major ICT-related Incident Notification has been developed and is available on the eDesk Portal. This user guide explains the procedures for completing and submitting the ICT-related incident notifications with both channels.
For further assistance, the following email addresses are at your disposal:
- Any question regarding authentication or account creation, or technical issues in submitting a notification, should be addressed to eDesk@cssf.lu.
- Any question relating to the circular, the timeline or the content of the ICT-related incident notifications should be addressed to ictrisksupervision@cssf.lu.
-
Technical document