ICT Risk

Information and communication technology (ICT) risks are an integral part of today’s financial institutions risk spectrum. No matter whether financial institutions are early adopters in new technologies or have implemented non-complex technologies, they are nevertheless exposed to risks related to their respective ICT strategy and ICT operational implementation. Gone are the days when financial institutions were able to perform their day-to-day business without the use of information and communication technology.

It is therefore fundamental that financial institutions shall manage the ICT risks that they are exposed to, in order to avoid potential adverse impacts on the operational functioning of the financial institution, potentially even leading to compromising a financial institution’s viability.

The following chapters aim to provide financial institutions with guidance on various topics related to ICT risk.

For additional information related to new technologies, please consult the Financial innovation page.

Circular CSSF 20/750, as amended, implements the guidelines of the European Banking Authority EBA/GL/2019/04 relating to the management of information and communication technologies (“ICT”) and security risks (hereinafter “ICT Guidelines”).  In addition, the circular specifies that the content of the ICT Guidelines also corresponds to the expectations of the CSSF regarding the risk management measures and control and security arrangements mentioned in the Law of 5 April 1993 on the financial sector (“LSF”) and in the Law of 10 November 2009 on payment services (“LSP”). Thus, the CSSF expects all entities authorised under the LSF and the LSP – whether or not they are also within the scope of the ICT Guidelines – to implement the content of these ICT Guidelines in order to manage their ICT and security risks.

Furthermore, Circular CSSF 22/811 on authorisation and organisation of entities acting as UCI administrator also specifies in point 76 that it is recommended for UCIs and IFMs to comply with the principles of the circular CSSF 20/750, as amended.

Also, the Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the “RTS”), as well as the Commission Delegated Regulation (EU) 2022/2360 amending the RTS as regards the 90-day exemption for account access, set key requirements to improve the security of payment services across the European Union. The payment service providers (“PSPs”) concerned by the new obligations are the ones defined in points (i), (ii), (iii) and (iv) of Article 1(37) of the Law of 10 November 2009 (as amended by the Law of 20 July 2018) on payment services and for which the CSSF is the designated competent authority for supervisory purposes under the law:

i) Credit institutions
ii) Electronic money institutions
iii) POST Luxembourg
iv) Payment institutions

The RTS also require all payment services providers who offer payment accounts accessible online to offer at least one access interface enabling secure communication with, and access, by account information and payment initiation service providers (AISPs and PISPs) to the payment service user’s payment account data. The PSPs that have opted to offer access via a dedicated interface are required to implement a contingency mechanism (also called fallback mechanism), unless they receive an exemption from the CSSF in accordance with the four conditions set out under Article 33(6) of the RTS.

All PSPs concerned that would like to obtain such an exemption are required to refer to the Circular CSSF 19/720 adopting the EBA Guidelines specifying further the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS and to fill in the form for exemption authorisation request available on the CSSF website. This form must be submitted via email to the address psd2‑exemption@cssf.lu.

Finally, all PSPs have to submit under Circular CSSF 20/750, as amended, on an annual basis an updated and comprehensive risk assessment related to payment services. This assessment, titled “PSP ICT Assessment” is to be submitted using the dedicated form via the CSSF’s eDesk portal available at https://edesk.apps.cssf.lu/ .

In recent years, and nonetheless due to recent changes in regulation, financial institutions have taken the opportunity to outsource ICT activities. They are taking advantage of economies of scale, grouping efforts with group entities or making use of external service providers providing solutions adapted to their business models and processes. Nevertheless, outsourcing ICT activities can create challenges to the governance framework of financial institutions, particularly to internal controls, data management and protection, and may even lead to security issues.

In 2022 the CSSF published its Circular CSSF 22/806 on outsourcing arrangements, which transposes the EBA Guidelines on outsourcing arrangements published in 2019. While the EBA Guidelines apply to Credit Institutions, investment firms, payment institutions and electronic money institutions only, the CSSF has chosen to extend the scope of application to promote convergence on a national level. The circular contains in one single document the supervisory requirements on outsourcing arrangements related to information and communication technology that were previously disseminated in individual circulars. Regarding ICT outsourcing arrangements, the circular applies to the financial institutions as defined under point 2 of the circular.

Under this Circular In-Scope Entities shall, according to point 59, if they intend to outsource a critical or important function, as defined in the circular, notify the competent authority using the instructions and, where available, the forms on the CSSF website. To note that notifications shall be submitted at least three (3) months before the planned outsourcing comes into effect, unless when resorting to a Luxembourg support PFS governed by Articles 29-1 to 29-6 LFS, where this notice period is reduced to one (1) month.

With regards to notifications of ICT outsourcing the following applies:

1. Significant institutions (under the direct supervision of the ECB) shall notify the ECB directly of ICT outsourcing arrangements via the IMAS portal. The instructions to be followed by these institutions to submit a notification form are available on the IMAS portal page. The CSSF has published Circular CSSF 23/834 for the Mandatory use of the IMAS Portal for certain supervisory processes including the notification of outsourcing arrangements.
2. Other In-Scope Entities (not under the direct supervision of the ECB) shall notify the CSSF of ICT outsourcing arrangements using the notification forms attached under “Forms” below. The forms must be submitted to the agent in charge of the supervision of the In-Scope Entity via the agreed communication channels, and as set out in the forms.
3. Support PSF authorised under Articles 29-3, 29-5 and 29-6 and their branches abroad may only partially outsource certain ICT operator services under specific conditions, including having obtained the prior approval of the CSSF for the outsourcing. Details are specified in Part II, Sub-chapter 1.2 of the Circular. Concerned support PSF shall contact the agent in charge of their supervision to obtain feedback on the information to be submitted.

To assist with the assessment as to whether an ICT outsourcing is critical or important, in addition to the guidance provided directly in Chapter 4 of the Circular, an FAQ on the assessment of IT outsourcing materiality is provided. To note that in terms of ICT outsourcing the “critical or important” is to be seen as equivalent to “material”.

ICT outsourcing relying on a cloud computing infrastructure has become more and more attractive to financial institutions over the past years. The CSSF has been at the forefront of analysing solutions offered by cloud service providers (CSPs) in order to clarify and establish a concrete regulatory framework as regards ICT outsourcing relying on cloud computing infrastructures. Circular CSSF 22/806 on outsourcing arrangements therefore contains in its Part II a specific chapter (Chapter 2) on ICT outsourcing arrangements relying on a cloud computing infrastructure, providing a definition of “cloud computing” in points 135 and 136, and the specific requirements to be respected when outsourcing to a cloud computing infrastructure.

Point 141.b. describes in particular the requirement for authorisation for a support PSF authorised as OSIRC under Article 29-3 of the LFS in case they want to market activities in relation to the use of cloud computing infrastructure. Concerned support PSF shall contact the agent in charge of their supervision to obtain feedback on the information to be submitted.

The increasing complexity of information and communication technology (ICT), paired with the rise in online services and interconnectedness of financial institutions renders the operations of financial institutions more and more vulnerable to ICT-related incidents. These incidents can include system failures, system intrusions and many other types.

Once ICT-related incidents occur, they can have a significant operational, financial and/or reputational impact on the financial institutions concerned and may even endanger the entire ecosystem. They may also serve as early warning indicators for future incidents.

As such, reporting obligations exist towards the supervisory authority (CSSF and/or ECB) as regards notification of ICT-related incidents to keep the supervisory authority informed of such incidents, and enabling the supervisory authority to closely follow the individual incidents as well as anticipate, if possible, potential impact and consequences for the financial market.

Under Circular CSSF 11/504, all establishments subject to the supervision of the CSSF are required to report on frauds and incidents due to external computer attacks.

To acquire a better and more structured overview of the nature, frequency, significance, and impact of ICT-related incidents, Circular CSSF 11/504 will be progressively repealed and replaced for all supervised entities by Circular CSSF 24/847 introducing a modernised / enhanced ICT-related incident reporting framework. The Circular CSSF 24/847 enters into force:

• on 1 April 2024 for the Supervised Entities as defined in point 2 a) to d) and k) to p) in Section 1.1.; and
• on 1 June 2024 for the Supervised Entities as defined in point 2 e) to j) in Section 1.1.

According to article 3 of the Law of 28 May 2019 (the “NIS Law”) the CSSF is also the competent authority in terms of network and information security for the credit institutions and the financial market infrastructures that have been identified as Operators of Essential Services (hereafter “OES”), as well as for Digital Service Providers (hereafter “DSP”) which are already under the supervision of the CSSF (“NIS authority”).

The CSSF Regulation No 24-01 of 5 January 2024 relating to the notification of incidents according to the NIS Law, which enters into force on 1 April 2024, in its article 2, informs OES and DSP of the incident classification and major incident notification requirements under the NIS Law. This regulation further refers to the Circular CSSF 24/847 for the arrangements regarding the classification and notification of incidents under the NIS Law. This allows for having one uniform document detailing the process for classification and reporting of ICT-related incidents for all entities under CSSF supervision in accordance with financial sector regulatory frameworks and/or with the NIS Law.

The ICT-related incidents to be notified under Circular CSSF 24/847 are to be submitted to the CSSF within the time limits laid down in the Annex I of the circular either:

• a. through the dedicated procedure “Major ICT-related Incident Notification” available on the CSSF eDesk Portal (edesk.apps.cssf.lu): or
• b. via the API interface (S3) provided by the CSSF.

A dedicated user guide named “Major ICT-related Incident Notification – User Guide” is available in the eDesk portal (link below) to help Supervised Entities with the submission of their notifications.

Some Supervised Entities are also subject to other regulatory obligations with regards to incident reporting. With the aim of preventing double reporting, point 7 of the Circular specifies that incidents falling under more than one reporting framework must be reported only once, in almost all cases, according to the other regulatory obligations, such as:

Under Circular CSSF 21/787, applicable to all payment service providers and transposing the requirements of the EBA guidelines on major incident reporting under the PSD2, payment service providers are required to report major operational or security incidents to the CSSF.

All significant institutions are required to report significant cyber incidents to the ECB in line with the ECB’s cyber-incident reporting framework.

All central securities depositories (CSDs) are required to:

a. Inform the CSSF of operational incidents referred to under Article 45(6) of Regulation (EU) No 909/2014 on notification of incidents resulting from the risks that key participants, service and utility providers, other central securities depositories (CSDs) or other market infrastructures might pose to the CSD’s operations, and/or;

b. Communicate to the CSSF the result of the “post-incident” review in line with Article 71(4)(b) of the Commission Delegated Regulation (EU) 2017/392 of 11 November 2016 supplementing Regulation (EU) No 909/2014 on reporting of material operational incidents to the competent authority.

Critical entities of the financial sector in Luxembourg must be able to adequately resist cyber-attacks in order to ensure their own resilience and thereby contribute to the one of the financial sector as a whole. To help achieve this objective, the Banque centrale du Luxembourg (BCL) and the Commission de surveillance du secteur financier (CSSF) decided to jointly adopt the testing framework for controlled cyber-attacks, namely TIBER-LU, in line with their respective financial stability mandates.

TIBER-LU’s adoption is consecutive to the publication in May 2018 of the European framework TIBER-EU¹ by the European Central Bank (ECB). The TIBER-EU framework aims at i) testing the resilience of financial markets’ entities, ii) facilitating tests for cross-border entities that are subject to the supervision by several authorities, iii) helping entities to better assess their protection, detection and response capabilities and to fight against cyber-attacks. In this context, the TIBER-EU framework sets out a harmonised European approach for the conduct of threat-led penetration tests that mimic the tactics, techniques and procedures of real-life threat actors and that simulate a cyber-attack on critical functions and underlying systems of an entity.

The TIBER-EU framework, which was designed to be adopted by national and European authorities and for entities that are essential to the functioning of the financial infrastructure, can be used by all types of entities of the financial sector and also by entities of other sectors.

In line with the TIBER-EU framework, each jurisdiction adopts the European framework at national level by adapting its implementation to national specificities.

Contacts

tiber@bcl.lu and tiber@cssf.lu