The end of the Covid-19 pandemic is announced for June 30th. It is therefore time for companies regulated by the CSSF (Commission de Surveillance du Secteur Financier) to put in place the necessary procedures to comply with the regulator’s requirements in terms of teleworking and outsourcing management. But between CSSF circulars 22/804 and 22/806, it is not always easy to find your way around.
Where to start, how to be compliant and what actions to take? Serge Sauvage, PSF Director at Rcube, explains it all to you!
Compliance – timeline
First of all, it is essential to be aware of the different dates of release of the circulars. In order to comply with the CSSF requirements, all processes associated with the circulars must be in place within the companies by the date of entry into force of the texts. Here is a summary of the timetable of the latest announcements :
Once the deadlines have passed, the regulations are considered to be applied in all respects and entities are subject to the regulator’s supervision. Please ensure that all processes are in place before the effective dates of the circulars.
Circular CSSF 22/804, previously named 21/769, relating to teleworking requirements (corporate policies and controls), will enter into force on July 1, 2022. Similar to CSSF circular 22/804, however, it no longer contains a restrictive clause regarding the pandemic status.
This circular on telework covers four main areas :
Rsecure : compliance and security
Specialized in cybersecurity and with a strong experience, the Rsecure team assists you in the compliance of your company thanks to online assessments, gap analysis, drafting of internal policies as well as the development of remote access controls.
It is mandatory to make your teams aware of the risks of cyber-attacks, this is possible thanks to Rsecure: training available online, regular phishing tests to evaluate the level of risk perception of your teams and advice on securing equipment.
Rcube : ICT outsourcing
Rcube also assists you in this compliance process, particularly in terms of securing the communication chain, protecting the equipment used by your employees, through the reports of cybersecurity tests carried out on our installations and finally by producing a report on our private cloud platforms.
The CSSF circular 22/806 on outsourcing and outsourcing governance will come into force on 30 June 2022. Companies will have a transitional period of 6 months to comply fully with the circular, in particular regarding previously outsourced functions, whether or not they are in the ICT domain.
Please note that this new circular does not repeal any previous CSSF circular. It has the right tone to reorganize in a very structured way the information that was scattered in the main circulars on central administration, internal governance and risk management and to modify them accordingly; all this while clarifying the notification requirements for ICT outsourcing.
When it comes to managing their IT infrastructure, entities can make two choices :
The management of the infrastructure is the responsibility of the entity and can be outsourced to a service provider (under the control of the entity) through on-site or remote interventions. Rcube, as a support PFS (OSIRC – art 29-3 LSF), is recognized by the regulator as an IT infrastructure manager and can assist you in outsourcing this function.
Possibility of outsourcing the IT infrastructure
The outsourcing of the infrastructure leads directly to the notions of cloud computing, public cloud or IT outsourcing.
IT Outsourcing is managed externally in conditions that do not meet the definition criteria of cloud computing as expressed by the CSSF. As proposed by Rcube, it is a private infrastructure managed by internal resources.
Cloud computing, based on a private or public cloud, involves a resource operator who will manage the entity’s resources on its behalf. The Cloud Officer function, which can be outsourced, must be held within the entity with the resource operator role. Rcube has officially announced to the regulator its decision to fulfill the function of resource operator for Microsoft 365 and Microsoft Azure clouds for its customers starting next September.
Whatever the choice, the entity will have to guarantee that it controls the internal and external risks related to its IT system. It is therefore expected that a position of information system and security manager (commonly called CISO) will be appointed internally or outsourced. The profile must demonstrate effective information security and cybersecurity skills.
Rsecure : compliance and security
For these ICT outsourcing matters, Rsecure assists you on three axes:
Firstly for the definition of your governance. The team assists you in your compliance through assessments and gap analysis, risk analysis, determination of your exit strategies, drafting of your policies and procedures and assistance for notifications to the regulator;
Second, for security and cybersecurity choices;
Finally, thanks to its “CISO as a Service” offer, Rsecure allows you to meet your outsourcing needs for the CISO (Chief Information Security Officer) function.
You now know more about these two CSSF circulars. If you need more information or if you have any question, please contact us by email at firstname.lastname@example.org or at +352 31 71 32 555.