Cypriot CIFs Must Meet Looming Compliance Deadline

The Guidelines address the growing ICT and security risks due to the increasing digitalization of the financial sector and greater interconnectedness with other institutions and third parties. This interconnectedness makes financial operations vulnerable to cyber-attacks, highlighting the need for robust cybersecurity measures. The Guidelines emphasize integrating cybersecurity within the overall information security risk management of financial institutions and specify the necessary risk management measures for handling ICT and security risks across all activities.

The Guidelines apply to Cyprus Investment Firms (“CIFs”) that fall under sections 9(1), (3), and (4) of the Prudential Supervision of Investment Firms Law of 2021, specifically those with initial capital requirements of €150,000 and €750,000.

CySEC expects that the relevant CIFs will take the necessary actions to ensure compliance with the Guidelines as soon as possible, and not later than 31.12.2023. Namely:

• The CIFs will define their governance and internal control framework for ICT and security risks and have the Board of Directors approve it, and implement measures to manage and mitigate these risks
• The CIFs will delegate to their internal audit function the task of conducting independent reviews and offering impartial assurance regarding the compliance of all ICT and security-related activities and departments within the CIF with its established policies and procedures, in accordance with the specifications outlined in Section 22 of the EBA Guidelines on internal governance (EBA/GL/2017/11)
• The Board of Directors of the CIF will approve the audit plan, encompassing ICT audits and any significant alterations to it 
• The audit plan and its implementation, including the frequency of audits, should align with the inherent ICT and security risks present within the CIF and should be regularly reviewed and updated

The initial internal audit assessment, examining CIFs’ adherence to all ICT and security-related activities in line with internal policies, external standards, and procedures, must be presented to their Board of Directors by 30 June, 2024, at the latest. Furthermore, these audit reports should be accessible for submission to CySEC upon demand.

On 18 December 2023, CySEC issued Circular No. C609, providing clarification on various matters, including the possibility for CIFs to outsource the control function responsible for managing and overseeing ICT and security risks under specific conditions. Additionally, the audit may be conducted either by CIF’s internal auditor or an external auditor appointed by the CIF, as long as an independent assurance report is guaranteed.