Read the CySEC Circular C609

Memo #62-2023
CySEC Circular No: C609
Date: 19/12/2023

Subject: ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)
Purpose: To provide clarifications to CIFs on ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management
 
In Summary:

CySEC has issued the Circular C609 on 18/12/2023 to provide a number of clarifications to Cyprus Investment Firms (CIFs) on EBA Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04) (the “Guidelines”).

This Circular C609 is issued following the Circular C571 issued on 02/05/2023 with subject "ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)".

Specific, regarding:

• Paragraph 11 of the Guidelines, CIFs should assign the responsibility for managing and overseeing ICT and security risks to a control function.

In accordance with C609, this control function may be outsourced if appropriate and proportionate to the nature, scale and complexity of the risks inherent in the business model and the activities of the CIF as detailed in section 20(3) of Law 165(I)/2021 and as specified further in Title I of the EBA Guidelines on internal governance under Directive (EU) 2019/2034 (EBA/GL/2021/14).

• Paragraph 11 in section 3.3. “ICT and security risk management framework” of the Guidelines, CySEC clarifies that the internal audit function mentioned under this paragraph is the appointed internal auditor of the CIF and it is anticipated that it has the capability to comprehensively assess the ICT and security aspects of the CIF within the scope of its audit responsibilities and prepare the internal audit report accordingly.

• Paragraph 25 of the Guidelines, CySEC clarifies that the audit mentioned under this paragraph may be performed by the internal auditor of the CIF or another auditor appointed by the CIF. An independent assurance report conducted either by the internal auditor or another auditor should be generated. This separate report aims to provide independent assurance of the effectiveness of the CIF's governance, systems, and processes in addressing ICT and security risks, providing valuable insights to the management body.

The ΕΒΑ Guidelines (EBA/GL/2019/04) can be found on the following link:


Read the CySEC Circular C609

Read more news at Regulatory News

{* *}