On 25 August 2020, the CSSF published the Circular 20/750 that implements the European Banking Authority (“EBA”) guidelines on management of information and communication technology (ICT) and security risks. In this new circular, CSSF has embedded the EBA guidelines into its regulatory requirements. CSSF is therefore enforcing a high level of for ICT, Information Security, and Business Continuity Management governance. The Circular came into force on 25 August 2020 and is directly applicable.
Missed the webinar on this topic? Find below some questions raised during this webinar, and their related answers!
Q: For a company which is PSF and ISO 27001 certified, what is additionally requires by this circular? As there are many overlaps, it would be great to highlight what should be done to fill the gaps.
A: An ISO27001 certification is a strong evidence that the ICT, Risk Management and Security Governance is already mature. It is therefore easier for such an organization to comply with circular 20/750, however the circular is requiring specific security controls and is more demanding and covering other aspect than ISO27001. A GAP analysis is therefore required.
Q: The guidelines of this circular 20/750 are addressed to financial institutions noted in PSD2. Does it affect also PSF Support company?
A: As specified in the circular on page 2, The circular is relevant to all credit institutions, all PFS as well as all payment institutions and to all electronic money institutions.
Q: Does the circular also apply for AIFM (Management Companies / ManCo) ?
A: AIFM are under the law of 12 July 2013 on alternative investment fund managers (not the “LFS” or “LPS”), therefore this circular does not apply.
Are you keen to know more about this topic?
Contact our expert Jean-Hubert Antoine (CISO) to learn how we can help you address this specific topic.