On the 12th of July 2022, the Malta Financial Services Authority (the “MFSA”) issued a Consultation Document on the reporting of major ICT-related incidents with a consultation period expiring on the 5th of August 2022. The MFSA worked on introducing an updated major ICT-related incident reporting process that replaces the previous process that was communicated on the 25th of September 2019 entitled ‘Cybersecurity – Threat Mitigation’. The former process was introduced with the aim of safeguarding national as well as international financial institutions from malicious attack campaigns.
The MFSA issued a renovated major ICT-related incident reporting process in line with paragraph 4.8.11 of the Guidance Document, in preparation for the entry into force of the Digital Operational Resilience Act (the “DORA”), to further strengthen the process against cyber threats. Further changes to this novel process will be eventually made once DORA enters into force.
On the 13th of October 2022, the MFSA published a Circular and a Feedback Statement outlining both the feedback that the MFSA received during the above-mentioned consultation period, and the salient features of the updated major ICT-related incident reporting process. As from the 13th of October 2022, eligible authorised persons are expected to report to the MFSA any major ICT-related incident by using the three-tier approach as outlined in the Reporting Process.
In cases where an ICT-related incident is deemed to be classified as major [1], eligible authorised persons are expected to submit to the MFSA through the Licence Holder Portal an Initial Report within four (4) hours after the incident has been classified as major. The MFSA expects such classification to be made within twenty-four (24) hours after the detection of an incident. An Intermediate Report is to be submitted to the MFSA through the Licence Holder Portal within three (3) working days following the submission of the Initial Report. One or more Intermediate Report/s may be provided at different stages within the resolution process. Following that, a Final Report is to be submitted to the MFSA through the Licence Holder Portal within twenty (20) working days after the business is deemed to be back to normal. Templates of the above-mentioned reports can be found on the MFSA’s website along with detailed Guidelines on how to submit such reports to the MFSA through the Licence Holder Portal.
The other legal obligations for the reporting of incidents that authorised persons have towards other competent authorities under the below-mentioned legislation are still to remain applicable:
- Reporting obligations to the competent authority under Directive (EU) 2016/1148 that has been later transposed into Legal Notice 216 of 2018 of the Laws of Malta; and
- Reporting obligations to the competent authority under Regulation (EU) 2016/679 are still to remain in force.
[1] An ICT-related incident is classified as major if it reaches the specified thresholds in Annex A to the Reporting Process.
Disclaimer: This document does not purport to give legal, financial or tax advice. Should you require further information or legal assistance, please do not hesitate to contact Dr Anthea Sammut.