Nicosia, Cyprus. The Cyprus Securities and Exchange Commission (CySEC) issued new guidance to strengthen how regulated financial firms in Cyprus manage digital risks and technology-related disruptions. The circular highlights incident reporting, operational submissions, ICT governance, and audit expectations.
Scope of the circular
CySEC said the guidance applies to a range of regulated entities, including investment firms, trading venues, fund managers and crypto-asset providers, and is aimed at improving digital resilience across the financial sector.
Technology-related incident reporting
CySEC said it has identified weaknesses in how firms report technology-related incidents, including serious incidents that were not reported and others that were misclassified. The regulator said firms must ensure serious ICT incidents are identified and reported promptly, warning that inaccurate reporting undermines oversight and risk management.
Operational information submissions
The commission reminded regulated entities that spreadsheets are no longer accepted for submitting key operational information and that submissions must be made through the regulator’s online reporting systems. CySEC said this information must be submitted every year by February 28, based on data as at December 31 of the previous year.
ICT risk management framework and oversight
CySEC said firms should maintain a clear and well-documented ICT risk management framework to manage risks linked to technology and cyber threats on an ongoing basis. The regulator said responsibility for overseeing ICT risks should sit with a dedicated and independent control function to avoid conflicts of interest and to support internal checks and balances.
Review and continuous improvement
CySEC said firms are expected to review their ICT risk framework at least once a year, as well as after serious incidents or following internal reviews, and to continuously improve it based on lessons learned.
Audit expectations
CySEC said companies must ensure their ICT systems and controls are regularly audited by suitably qualified and independent auditors, with the depth of audits reflecting each firm’s risk profile.
How will your firm adjust its ICT incident reporting and annual submissions to meet CySEC’s expectations?
