CyberFlow: Preparing Fintech Companies for CySEC’s Cybersecurity Mandates and DORA Compliance

In the landscape of cybersecurity, regulatory bodies are constantly raising the bar to safeguard sensitive financial data. One such regulatory authority, the Cyprus Securities and Exchange Commission (CySEC), has issued a circular dated 02/05/2023 that carries significant implications for Cyprus Investment Firms (CIFs). Fintech and Forex companies have no choice but to ensure their cybersecurity is compliant with CySEC and DORA. In this blog post, we will explore CySEC’s directives and how CyberFlow is offering essential cybersecurity services to fintech companies to ensure compliance. Additionally, we will delve into the broader context of the Digital Operational Resilience Act (DORA) proposed by the European Union, which seeks to fortify the cybersecurity and operational resilience of the financial sector.  

CySEC's Directive: Enhanced Cybersecurity and Compliance Obligations

CySEC’s circular introduces a series of measures aimed at enhancing the cybersecurity levels of CIFs. Let’s break down the key directives: 

Internal Governance and Control Framework:

CIFs are now required to establish robust internal governance and internal control frameworks to manage their ICT (Information and Communication Technology) and security risks effectively. 

Regularly Update Libraries and Dependencies:

Keep your app’s libraries and dependencies up to date to ensure you’re benefiting from the latest security patches and bug fixes. Vulnerabilities in third-party components can become entry points for attackers, so staying current is essential. 

Clear Roles and Responsibilities:

Clear roles and responsibilities must be assigned for ICT functions, information security risk management, and business continuity. This includes roles within the management body and its committees. 

Responsibility for Risk Oversight:

CIFs are mandated to assign the responsibility for managing and overseeing ICT and security risks to a control function within the organisation. 

Regular Auditing:

To ensure compliance, CIFs must subject their governance, systems, and processes for ICT and security risks to periodic audits by qualified auditors with expertise in ICT and security risks. 

Threat-Led Penetration Testing

CySEC’s directives also include a critical element known as Threat-Led Penetration Testing, categorised as follows: 

Mandatory Annual Internal Testing: This testing, accompanied by a report in a specific format provided by the regulator, is obligatory for all actors in the financial sector. 

Advanced Testing (Once Every Three Years): Reserved for companies meeting specific criteria defined by the regulator, this advanced testing is conducted by an external entity. Compliance with this advanced testing allows European Supervisory Authorities (ESAs) to issue a certificate, confirming the company’s adherence to penetration testing standards. Failure to obtain this certification could lead to a potential halt in the company’s activities. 

DORA and Its Implications

DORA, or the Digital Operational Resilience Act, is a regulatory framework proposed by the European Union to bolster cybersecurity and operational resilience in the financial sector. It sets forth a series of obligations for financial entities, including: 

Specific Policies: Companies are required to define specific policies to address cybersecurity and operational resilience. 

IT Risk Management Framework: Implementation of a mature IT Risk Management Framework is mandatory. 

Mandatory Reporting: Companies must share mandatory reports for significant ICT-related incidents. 

Business Continuity and Disaster Recovery: Robust Business Continuity Plans (BCPs) and Disaster Recovery Plans (DRPs) are essential components of compliance. 

Resilience Testing: Companies must conduct mandatory annual resilience testing, approved by the Executive Committee. 

CyberFlow: Your Partner in Compliance

In this era of heightened cybersecurity scrutiny, compliance with CySEC’s directives and DORA is paramount for fintech companies. Non-compliance can result in severe financial penalties and sanctions. A perusal of CySEC’s website underscores their commitment to holding financial companies accountable. CyberFlow, with its extensive expertise in cybersecurity, leads the charge in helping companies meet these regulatory challenges. Our services encompass everything from establishing robust governance frameworks to conducting advanced Threat-Led Penetration Testing. Navigating the technical intricacies of these regulations can be challenging, but with CyberFlow as your cybersecurity partner, you can confidently navigate the evolving regulatory landscape. 

As CySEC and DORA usher in a new era of cybersecurity and operational resilience, fintech companies must proactively pursue compliance. CyberFlow stands ready to provide the guidance and services necessary to ensure your organisation’s adherence to these directives. Stay ahead of the regulatory curve, bolster your cybersecurity defences, and secure your financial institution’s digital resilience with CyberFlow. It could potentially save you tens of thousands in fines and safeguard your reputation.