Risk management obligations CIF

CySEC Circulars C571 & C609 on ICT and security risks management obligations for CIF

On the 18th of December, the Cyprus Securities and Exchange Commission (CySEC) issued Circular C609 in continuation to Circular C571. The latter was issued on the 2nd of May 2023, to provide further clarifications on the European Banking Authority’s (EBA) Guidelines on Information and Communication Technology (ICT) and security risk management, addressed to Cyprus Investment Firms (CIF). The EBA Guidelines have been adopted by CySEC as Cyprus’ National Competent Authority (NCA), enhancing further their supervision practices. Based on the above legal grounds a Class 2 CIF, with initial capital requirements of €150,000 or €750,000, are obliged by the 30th of December 2023 to:

  1. Determine their governance and internal control framework for their ICT and security risks. This includes the appointment of a control function responsible for managing and overseeing the ICT and security risks. This framework must be approved by the Board of Directors (BoD) and further measures must be established to manage and mitigate the relevant risks.
    • The said control function can be outsourced, considering the nature, scale, and complexity of the firm’s business model and activities.
  1. Assign the internal auditor the responsibility of providing assurance as to whether the CIF’s policies and procedures comply with the EBA’s Guidelines. This is satisfied with the preparation of an internal audit report for the company’s compliance with ICT and security risk management.
    • The report shall be prepared either by the CIF’s internal auditor or an independent auditor, if the appointed internal auditor does not possess the necessary knowledge, skills and expertise in ICT and security risks.
  1. Approve the audit plan through the BoD. The audit plan shall follow a risk-based approach as to its execution, including the audit frequency, and be updated regularly.

Besides the above, both Circulars highlight the need for CIF entities to have available for submission to CySEC upon request, the first internal audit report regarding the review of the CIF’s compliance. The report shall be sent from the internal auditor to the CIF’s BoD by the 30th of June 2024.

It is noteworthy that the CIF’s appointed internal auditor shall be able to review and evaluate the ICT and security aspects of the firm. The auditor shall assess whether the company has adopted the necessary measures and controls for ICT and security risk management.

SALVUS Regulatory Compliance team urges CIF that fall within the above scope to promptly proceed with the fulfillment of the newly introduced requirements. Should you need assistance meeting your internal audit obligations, the SALVUS Internal Audit team stands ready to assist you.

Contact us at info@salvusfunds.com if you any have questions or require support with your ICT and security risk management obligations; our SALVUS Internal Audit team is ready to answer your questions.


Share this post