Summary of CySEC's Circular C571

Memo #25-2023
CySEC Circular No: C571
Date: 03/05/2023

Subject: ΕΒΑ Guidelines on Information and Communication Technology (ICT) and security risks management (EBA/GL/2019/04)
Purpose: To draw the attention to the CIFs to the EBA's Guidelines on ICT and security risk management and for certain actions to ensure compliance with the Guidelines.

In Summary: 

CySEC has issued the Circular C571 on 02/05/2023 to draw the attention to the Cyprus Investment Firms (CIFs) to the Guidelines on Information and Communication Technology (ICT) and security risk management (the ‘Guidelines’), published on 29/11/2019 by the European Banking Authority (EBA).

CySEC informs that it has adopted the Guidelines by incorporating them into its supervisory practices and regulatory approach.

CySEC notes that the guidelines apply to CIFs that fall under sections 9(1), (3) and (4) of the Prudential Supervision of Investment Firms Law of 2021, ie. with initial capital requirement of €150.000 and €750.000. 

The Guidelines address ICT and security risks that have increased in recent years, due to the increasing digitalisation of the financial sector and the increasing interconnectedness through telecommunications channels and with other financial institutions and third parties. This renders financial institutions’ operations vulnerable to external security attacks. Particularly, the Guidelines specify the risk management measures that financial institutions must take to manage their ICT and security risks for all activities.

CySEC further notes that it expects CIFs, which the Guidelines apply, will take the necessary actions to ensure compliance with the Guidelines the soonest possible and not later than 31/12/2023. Specifically, CySEC expects that:

• The CIFs should determine their governance and internal control framework for their ICT and security risks that would be approved by their Board of Directors and establish measures to manage and mitigate their ICT and security risks. 

• The CIFs should assign to their internal audit function to independently review and provide objective assurance of the compliance of all ICT and security related activities and units of the CIF with its policies and procedures, adhering to the requirements of Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11).

• The Board of Directors of the CIF should approve the audit plan, including any ICT audits and any material modifications thereto. The audit plan and its execution, including the audit frequency, should reflect and be proportionate to the inherent ICT and security risks in the CIF and should be updated regularly.

Furthermore, CySEC informs that the first internal audit report regarding the review of the CIFs’ compliance of all ICT and security related activities with its policies and procedures and with external requirements should be submitted to their Board of Directors by 30/6/2024, the latest. The internal audit reports should be available for submission to CySEC upon request.


The Prudential Supervision of Investment Firms Law of 2021 can be found on the following link: 

Read the CySEC Circular C571

Read more news at Regulatory News

{* *}