ICT Risk

Information and communication technology (ICT) risks are an integral part of today’s financial institutions risk spectrum. No matter whether financial institutions are early adopters in new technologies or have implemented non-complex technologies, they are nevertheless exposed to risks related to their respective ICT strategy and ICT operational implementation. Gone are the days when financial institutions were able to perform their day-to-day business without the use of information and communication technology.

It is therefore fundamental that financial institutions shall manage the ICT risks that they are exposed to, in order to avoid potential adverse impacts on the operational functioning of the financial institution, potentially even leading to compromising a financial institution’s viability.

The following chapters aim to provide financial institutions with guidance on various topics related to ICT risk.

For additional information related to new technologies, please consult the Financial innovation page.

Circular CSSF 20/750 implements the guidelines of the European Banking Authority EBA/GL/2019/04 relating to the management of information and communication technologies (“ICT”) and security risks (hereinafter “ICT Guidelines”).  In addition, the circular specifies that the content of the ICT Guidelines also corresponds to the expectations of the CSSF regarding the risk management measures and control and security arrangements mentioned in the Law of 5 April 1993 on the financial sector (“LSF”) and in the Law of 10 November 2009 on payment services (“LSP”). Thus, the CSSF expects all entities authorised under the LSF and the LSP – whether or not they are also within the scope of the ICT Guidelines – to implement the content of these ICT Guidelines in order to manage their ICT and security risks.

Also, the Commission Delegated Regulation (EU) 2018/389 with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (the “RTS”) set key requirements to improve the security of payment services across the European Union. The payment service providers (“PSPs”) concerned by the new obligations are the ones defined in points (i), (ii), (iii) and (iv) of Article 1(37) of the Law of 10 November 2009 (as amended by the Law of 20 July 2018) on payment services and for which the CSSF is the designated competent authority for supervisory purposes under the law:

i) Credit institutions

ii) Electronic money institutions

iii) POST Luxembourg and

iv) Payment institutions.

The RTS also require all payment services providers who offer payment accounts accessible online to offer at least one access interface enabling secure communication with, and access, by account information and payment initiation service providers (AISPs and PISPs) to the payment service user’s payment account data. The PSPs that have opted to offer access via a dedicated interface are required to implement a contingency mechanism (also called fallback mechanism), unless they receive an exemption from the CSSF in accordance with the four conditions set out under Article 33(6) of the RTS.

All PSPs concerned that would like to obtain such an exemption are required to refer to the Circular CSSF 19/720 adopting the EBA Guidelines specifying further the conditions to benefit from an exemption from the contingency mechanism under Article 33(6) of the RTS and to fill in the form for exemption authorisation request available on the CSSF website. This form must be submitted via email to the address psd2‑exemption@cssf.lu.

In recent years, and nonetheless due to recent changes in regulation, financial institutions have taken the opportunity to outsource IT activities. They are taking advantage of economies of scale, grouping efforts with group entities or making use of external service providers providing solutions adapted to their business models and processes. Nevertheless, outsourcing IT activities can create challenges to the governance framework of financial institutions, particularly to internal controls, data management and protection, and may even lead to security issues.

Under Circulars CSSF 12/552, CSSF 17/656 and 20/758 respectively, financial institutions shall obtain prior authorisation from the CSSF for the outsourcing of a material IT activity (seen as “critical or important functions” in the sense of EBA/GL/2019/02). In order to assist with the materiality assessment, an FAQ is provided. For the purpose of the authorisation, a template has been developed that must be submitted to the agent in charge of the supervision of the entity via the agreed communication channels, and as stated in the template. Should the outsourcing be towards a support PFS according to Articles 29-1 to 29-6 of the Law of 5 April 1993 relating to the financial sector (LFS), a notification stating that the conditions laid down in the respective circular are complied with is sufficient.

Please note that where an IT outsourcing, or a chain of outsourcing exclusively composed of IT outsourcing, relies on a cloud computing infrastructure as defined in Circular CSSF 17/654, the points of sub-chapter 7.4 of Circular CSSF 12/552, Circular CSSF 17/656 and Circular CSSF 20/758 shall not apply and the financial institution shall comply with the requirements of Circular CSSF 17/654. For more details refer to the following section.

Under Circular CSSF 18/698, investment fund managers must notify to the CSSF beforehand the use of a third party for consultancy, programming, maintenance or management of IT systems and such recourse must be formalised by a service contract. Furthermore, Circular CSSF 17/654 applies to investment fund managers if they use this infrastructure. For more details refer to the following section.

The EBA has recently issued its Guidelines on outsourcing arrangements which have become applicable as of 30 September 2019, apart from paragraph 63(b) which applies from 31 December 2021.

IT outsourcing relying on a cloud computing infrastructure has become more and more attractive to financial institutions over the past years. The CSSF has been at the forefront of analysing solutions offered by cloud service providers (CSPs) in order to clarify and establish a concrete regulatory framework as regards IT outsourcing relying on cloud computing infrastructures.

The resulting Circular CSSF 17/654, as amended, has two essential features, namely:

1. a definition of the cloud from reputable organisations, comprising the five essential characteristics, and supplemented by two specific requirements related to the exclusion of data access by the cloud service provider and the provision of automated resources without the need for human intervention;
2. the definition of the roles of the actors involved in the outsourcing and their respective responsibilities.

Paragraph 26 of the circular describes in detail the necessity to inform the competent authority when making use of IT outsourcing relying on cloud computing infrastructure. In order to facilitate the filing of this information a series of 5 forms has been created (Form A – Form E) and a summary document (which can be found below in the section “Guidance”) describes which form is to be used in which case. Finally an FAQ and the template for the register are also provided.

The increasing complexity of information and communication technology (ICT), paired with the rise in online services and interconnectedness of financial institutions renders the operations of financial institutions vulnerable to IT incidents and in particular external security attacks, including cyber-attacks.

Once IT incidents or external security attacks occur, they can have a significant operational, financial and/or reputational impact on the financial institutions concerned, and may even endanger the entire ecosystem or serve as an early warning for future incidents.

As such, a number of reporting obligations exist towards the supervisory authority (CSSF and/or ECB) as regards reporting IT and cyber incidents and attacks in order to keep the supervisory authority informed of such incidents.

Under Circular CSSF 11/504, all establishments subject to the supervision of the CSSF are required to report on frauds and incidents due to external computer attacks. This reporting shall allow the CSSF to closely follow the individual incident as well as anticipate, if possible, potential impact and consequences for the financial market and may lead to the issuance of recommendations for financial institutions based on the reported incidents. These incident reports are to be submitted to the respective agent in charge of the supervision of the entity via the agreed communication channels.

Furthermore, Circular CSSF 21/787, applicable to all payment service providers, transposes the requirements of the EBA guidelines on major incident reporting under the PSD2, requiring payment service providers to report major operational or security incidents to the CSSF without undue delay. These reports are to be submitted, as described in the annex to the circular, via the file channel system.

Critical entities of the financial sector in Luxembourg must be able to adequately resist cyber-attacks in order to ensure their own resilience and thereby contribute to the one of the financial sector as a whole. To help achieve this objective, the Banque centrale du Luxembourg (BCL) and the Commission de surveillance du secteur financier (CSSF) decided to jointly adopt the testing framework for controlled cyber-attacks, namely TIBER-LU, in line with their respective financial stability mandates.

TIBER-LU’s adoption is consecutive to the publication in May 2018 of the European framework TIBER-EU¹ by the European Central Bank (ECB). The TIBER-EU framework aims at i) testing the resilience of financial markets’ entities, ii) facilitating tests for cross-border entities that are subject to the supervision by several authorities, iii) helping entities to better assess their protection, detection and response capabilities and to fight against cyber-attacks. In this context, the TIBER-EU framework sets out a harmonized European approach for the conduct of threat-led penetration tests that mimic the tactics, techniques and procedures of real-life threat actors and that simulate a cyber-attack on critical functions and underlying systems of an entity.

The TIBER-EU framework, which was designed to be adopted by national and European authorities and for entities that are essential to the functioning of the financial infrastructure, can be used by all types of entities of the financial sector and also by entities of other sectors.

In line with the TIBER-EU framework, each jurisdiction adopts the European framework at national level by adapting its implementation to national specificities.

Contacts

tiber@bcl.lu and tiber@cssf.lu