The Malta Financial Services Authority (“MFSA”) has today issued a consultation document entitled “Guidance on Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements.”
The MFSA is proposing to issue principle-based cross-sectoral guidelines in the areas of Technology Arrangements, ICT and Security Risk Management, and Outsourcing Arrangements and establish its regulatory expectations with respect to these areas. The Guidance Document is concerned with the following matters:
- High Level Principles: the guidance document is based on four high level principles which are proportionality, principles-based consistency of outcomes, information assurance (IA) in technology arrangements and approach to cloud computing.
- Technology Arrangements: covers the essential characteristics of cloud computing; cloud computing service models; cloud computing deployment models; shared responsibilities for different cloud service models; isolation in virtualised environments; monolithic, microservices and serverless architectures; unrestricted audit, on-site and remote access, and information gathering and investigations; security monitoring, DLP, eDiscovery and forensic capabilities; consumption of cloud services over the internet; and artificial intelligence and machine learning.
- ICT and Security Risk Management: internal governance and risk management measures that should be taken into account when managing risks associated with technology arrangements, their operations, and the data therein.
- Outsourcing Arrangements: covering internal governance arrangements, including sound risk management, that licence holders should implement when they outsource functions, in particular the outsourcing of critical or important functions, in a technology arrangement or an outsourced business function or process that is delivered as a cloud service.
The MFSA’s consultation is open to the public from 1st July 2020 until the 28th August 2020.
The full consultation document may be found at https://www.mfsa.mt/wp-content/uploads/2020/06/Consultation-Document-on-the-Guidance-on-Technology-Arrangements-ICT-and-Security-Risk-Management-and-Outsourcing-Arrangements.pdf