ict incident — The Cyprus Securities and Exchange Commission (CySEC) has introduced new guidelines focused on the costs associated with major Information and Communications Technology (ICT) incidents. This move comes as a part of the regulatory framework established by the Digital Operational Resilience Act (DORA Regulation).
In a circular released on Wednesday, CySEC announced that financial entities under its supervision will now be required to estimate their aggregated annual costs and losses stemming from significant ICT-related incidents. This action aligns with the joint guidelines issued by the European Supervisory Authorities (ESAs) on July 17, 2024.
The guidelines stem from Article 11(11) of the DORA Regulation, formally recognised as Regulation (EU) 2022/2554, which was established on December 14, 2022. This regulation primarily addresses the digital operational resilience of the financial sector.
All financial entities under CySEC’s jurisdiction are now mandated to report ICT-related losses. This includes a diverse range of organisations such as Cyprus Investment Firms (CIFs), Crypto-Asset Service Providers authorised by CySEC, and issuers of Asset-Referenced Tokens where Cyprus is the home member state. The guidelines extend to Central Securities Depositories, Central counterparties, Trading venues, Alternative Investment Fund Managers, Management companies, and Crowdfunding services providers, all of which are authorised by CySEC.
The introduction of these Joint Guidelines aims to establish standardised reporting practices for the aggregated annual costs and losses incurred from major ICT incidents. Article 11(10) of the DORA Regulation underlines the importance of these measures, ensuring that entities can accurately assess and report their financial impacts due to ICT disruptions.
Alongside outlining the methodology for estimating costs, the guidelines specify a common template that financial entities must use when submitting their aggregated annual costs and losses. This structured approach is designed to enhance clarity and consistency across the reporting process.
The ESAs developed these guidelines under their regulatory authority, which empowers them to create common supervisory standards that can be adopted across the financial landscape. This initiative is anticipated to bolster the resilience of financial institutions in the face of technological challenges.
