Since 2020, the whole world has been living with the Covid-19 health crisis. Each company has adapted its working methods, giving way to a hybrid system, split between working in the office and working at home.
In order to establish a legal framework, the Commission de Surveillance du Secteur Financer (CSSF) issued Circular 21/769 introducing the rules to be implemented within each PFS entity. Although it was supposed to come into force at the time of the announcement of the end of the pandemic, it will come into force on January 2nd if no new governmental measures are announced by then.
You want to know more and evaluate your compliance ? We explain it all to you !
Circular 21/769 concerns all regulated entities including the financial sector, foreign branches of Luxembourg entities and branches from countries outside the European Economic Area provided that these home countries have also ruled on teleworking! Beware, if this is not the case, the entities could take refuge behind the legal notions of their respective countries ! So do not neglect this step!
Through its circular, the CSSF asks all regulated entities to define a telework governance framework. This is a document, a policy that defines the right to telework, to whom it is addressed and the measures to achieve it. A section on system security should also be included in this policy.
Be aware that when a company triggers a disaster plan, so that it can no longer operate from its own premises, using the BCP rooms of third party companies does not fall within the scope of teleworking.
The general principles are to maintain the key axes that the financial sector requires from us. By this we mean:
Circular 21/769 requires regulated companies to report. All the elements reported will allow the CSSF to certify that the entities concerned comply with the circular.
But that is not all. The circular also requires us to comply with country legislation, including cross-border agreements. When you are building your corporate governance, think about the method you are going to use to document this telework and to control it. You need to keep records of the number of days teleworked and ensure that cross-border agreements are not exceeded.
Always be sure to inform your employees of current agreements, maximums not to be exceeded, and to include all of these provisions in governance systems. Tip: This policy must be shared and agreed upon by all employees. It will be an appendix that will include all the provisions of the circular and will be attached to the pre-existing employment contract.
In the CSSF circular 21/769, the requirements are essential and must be respected:
Secondly, it is the employer’s duty to verify that the location is respected.
It is also important to note that exceptions may be made in the policy. By “exceptions” we mean that VIPs or members of management may be required to use telecommuting devices in locations other than their homes.
As a service provider, we were keen to opt for an efficient solution, offering better management, control and auditing of all connections on the client’s infrastructure. Wallix Bastion meets these needs and allows for seamless compliance with CSSF 21/769.
In the same spirit, managing peripherals and respecting professional secrecy and data protection requirements are equally important points that must not be neglected.
This is why the Board of Directors of the supervised entities is required to maintain a complete and precise policy framing telework at the level of :
Please note that the telework policy must be reviewed and validated annually by the management.
The supervised entities must keep the evidence allowing the control of the respect of the obligations resulting from the telework policy (at the disposal of the CSSF).
Internally, annual reports must include any anomalies that may have occurred while teleworking, include statistics and the report must be validated by management.
This is essential for the successful operation of telework. Every employer must ensure that all staff members are made aware of the risks and practices of telework. It is annual, mandatory and covers all technical and organizational risks that companies might face.
Rsecure sets up online awareness trainings that allow to train the teams to adopt the right behaviors.
The company needs to keep control of the remote access devices to avoid any problems. The monitored entity should ensure that remote sessions are encrypted (e.g., use of Citrix), and that the recording medium is encrypted. It is also forbidden to use external media (storing data on a USB stick or other). Last but certainly not least, it is strictly forbidden for employees to send messages on private messaging systems (Yahoo, Gmail…) including company information.
So be sure to check the content of your messages for potentially sensitive information !
Rsecure has set up a web interface with a self-assessment tool that allows you to assess your compliance. The idea is simple, each company has to answer a series of questions concerning :
Once the questionnaire is completed, a report is automatically sent to you with the points of attention regarding the adherence to this circular. For example, we find the categories of questions that the company has answered as well as the level of maturity on the control, on the document and on the average risk (image below).
Although this mainly concerns PFS, the good practices of circular 21/769 can be applied to all companies.
Need more info about circular 21/769
Replay the webinar (FR)