LIC FMA issued guideline 2021/3 on monitoring of risks linked to use of information and communication technology (ICT risks), to strengthen financial sector security.
Guidelines also defined requirements intermediaries must meet dealing with ICT risks.
LIC FMA also published guidelines 2021/17, which described the possibility of a graduated implementation of the ICT security directive under certain conditions.
ICT Risks
Include ICT security incidents such as data leaks or system failures, which can result from internal errors, as well as from external events such as cyber attacks.
More networking raises vulnerability of financial service providers' ICT infrastructures.
Guidelines aimed to minimize risk of ICT security incidents, show how to counter risks.
Set out, among other things, requirements for information security risk management, ICT strategy and governance of intermediaries, and associated structures, processes.
Requirements based on entity's risk structure, complexity, size, scope and type.
Effectiveness
The ICT directive ensures financial center stability, security, protection of customers.
The guideline is in force on Jan. 1, 2022.
Jan. 7, 2025 Updates
On Jan. 7, 2025, LIC FMA issued ICT Security Directive2021/3, with scope amended in Dec. 2024 by supervisory board resolution, following preliminary implementation of the Digital Operational Resilience Act (DORA), which is effective from Feb. 1, 2025.
Adjusted to only apply to financial intermediaries that do not fall within scope of DORA.
Definitions/terms align to DORA; in response to intermediary questions, clarifications have been incorporated; takes into account DORA simplifications compared to 2021/3.
Main content changes: minimum requirements for creating register of contractual agreements (formerly register of outsourcing agreements); reporting ICT incidents.