On August 25, 2020, the Commission de Surveillance du Secteur Financier (CSSF) introduced and published a new circular (CSSF 20/750). This circular is applicable to all credit institutions, all Professionals of the Financial Sector (PFS), all payment institutions, and all electronic money institutions. The main objective is to implement the guidelines of the European Banking Authority EBA/GL/2019/04 relating to the management of risks linked to information and communication technologies (“ICT”) and security.
A new circular, new guidelines
These guidelines reinforce and affirm the control framework and related requirements in the circulars already in force. Remember that the current circulars deal with governance, risk management, and security in the broadest sense of the term.
Keep in mind that the supervised entities had already been required to comply for years with the internal governance framework. Therefore, these guidelines more specifically address the management of information security risks, and not only ICT risks.
In other words, the risk management framework within the supervised entities will have to integrate a broader scope of analysis than pure ICT risks. They will also have to consider security criteria (confidentiality, integrity, availability). They will put those criteria into the perspective of the business consequences that result (reputation, operations, legal, financial). Therefore, controlling these risks requires a cross-functional approach. Note that this approach does not uncouple ICT risks from business risks, as is still too often the case.
Besides, this circular specifies the information security issues each entity must consider are sufficient and adequate to the risks incurred. Thus, each entity must be able to demonstrate those topics. It can be logical security, physical security, logging and monitoring, vulnerability management, awareness, project and change management, incident management, backup and asset management are sufficiently mature.
Entities must also address resilience issues by considering business continuity, disaster recovery and crisis management aspects within their processes.
Finally, it is also necessary to run an information security audit. Indeed, the objective is to be able to independently review and demonstrate that entities have implemented information security requirements.
How can we help you?
Thanks to our experience in the field of information security , we have established a structured and pragmatic approach to help our clients establish and implement their information security strategy.
We propose the definition of an information security program. Indeed, we will establish the level of maturity and the level of risks of an organization. Plus, we will define the target to be reached given its context. Finally, we will also specify a roadmap, including the budget for each project, which we present to the Board.
This approach is based on recognized frameworks and standards. It allows us to address the real risks pragmatically while being able to visualize the organization’s progress over time with the implementation of projects.