Luxembourg - CSSF issues Circular 21/769 on governance and security requirements for Telework

15/04/21

In brief

On 9 April 2021, the CSSF issued a new circular (21/769) in response to the growth of Telework and the related security risks.

This circular, entering into force on 30 September 2021, is addressed to all Supervised Entities of the financial sector and is aimed to frame the governance and security requirements such entities must comply with when employing Telework solutions.

Contrary to previous requirements, the implementation of Telework by Supervised Entities will not necessitate any prior approval by the CSSF. The CSSF will however monitor compliance of these entities with this circular and amend these requirements if necessary.

For further information, the Circular 21/769 is available here

In more detail

With the circular 21/769, the CSSF defines requirements (both organisational and technical) to ensure an adequate governance and protection level when implementing Telework solutions.

This circular provides guidance on the governance and security requirements to ensure Supervised Entities define appropriate policies, procedures and processes and supply appropriate resource (both human and technical) for Telework management.

Who is impacted?

This circular directly applies to supervised entities including their branches in Luxembourg or abroad. It also applies to Luxembourg branches of entities originating from outside of the European Economic Area.

What are the main aspects?

Below is an abstract of requirements and advice provided by the CSSF in this circular:

  • The Board of Directors of the Supervised Entity (or any representational body) will be the ultimate responsible for the Telework organisation;
  • The Supervised Entities must ensure Telework does not bring any violation to the applicable legal and regulatory requirements, especially requirements from mandatory public policy provision, professional secrecy, data protection, social security and tax related requirements;
  • In order to maintain a robust central administration, specific criteria shall be applied to define the extent of Telework permitted with regards to the number of staff, working times and presence of key function holders. Staff members shall be able to return to the Supervised Entities premises on short notice in case of need. In addition, at least one authorised manager shall be on-site at the head-office at all times;
  • The Supervised Entities shall perform and regularly review a risk analysis to identify the inherent risks in implementing Telework;
  • The Supervised Entities shall determine and enforce the key principles to be applied in a Telework context in order to ensure that the entity’s activities continue in an effective and secure manner. In particular, it shall define and regularly review (at least annually) a Telework Policy; 
  • The Supervised Entities shall maintain internal records to evidence compliance with it Telework Policy and make such evidence, upon request, available to the CSSF; 
  • The Supervised Entities’ internal control functions shall independently review the Telework processes and operating controls, and annually report on the use of Telework security policy shall be approved by the Board of Directors, which is aligned with the results of the performed risk analysis and is part of either the security policy or the Telework policy of the Supervised Entity; 
  • The Supervised Entity shall ensure sufficient awareness amongst all staff members related to the risks concerning Telework (e.g. phishing, ransomware attacks) through trainings and internal communications;
  • Access rights dedicated to Telework should preferably be limited compared to on-premise work and subject annual reviews (semi-annual for privileged users);
  • The Supervised Entity must ensure that it keeps control over the security of the devices used by the users to connect remotely (both corporate and private devices); 
  • Remote connections in the Telework context are subject to defined criteria to be met to properly authenticate the user and secure the connections. In addition, data in transit is supposed to be encrypted following current leading practices;
  • The Supervised Entity shall monitor and identify emerging security threats to apply necessary corrections if required, especially related to private owned devices used for Telework;
  • The Supervised Entity should organise regular vulnerability scans/penetration tests to identify risks in relation to Telework;
  • Access logs are supposed to be collected and securely retained for security monitoring purposes.

In conclusion

Telework solutions have become an integral part of entities operating model, especially given the current sanitary crisis context. The implementation of such solutions, which was previously subject to a prior approval by the regulator, is now to be aligned with the requirements of circular CSSF 21/769, given the inherent risks of remote connections to systems and data of Supervised Entities.

In principle, all staff, regardless of its function, may be allowed to Telework within the limits of circular CSSF 21/769, which are notably related to the robustness of the central administration as well as the security of systems and data.

Our Governance, IT security and IT regulatory experts can support you in ensuring that these requirements are fully understood and complied with when implementing or maintaining your Telework solutions.

1. PwC Luxembourg (www.pwc.lu) is the largest professional services firm in Luxembourg with 2,800 people employed from 77 different countries. PwC Luxembourg provides audit, tax and advisory services including management consulting, transaction, financing and regulatory advice. The firm provides advice to a wide variety of clients from local and middle market entrepreneurs to large multinational companies operating from Luxembourg and the Greater Region. The firm helps its clients create the value they are looking for by contributing to the smooth operation of the capital markets and providing advice through an industry-focused approach.

2. The PwC global network is the largest provider of professional services in the audit, tax and management consultancy sectors. We are a network of independent firms based in 155 countries and employing over 284,000 people. Talk to us about your concerns and find out more by visiting us at www.pwc.com and www.pwc.lu.

Contact us

Florian Bewig

Regulatory & Compliance Advisory Services - Banking - Managing Director, PwC Luxembourg

Tel: +352 49 49 48 4169

Cécile Liégeois

Regulatory & Compliance Advisory Services - Banking - Partner, PwC Luxembourg

Tel: +352 49 48 48 2245

Koen Maris

Cybersecurity Leader, PwC Luxembourg

Tel: +352 49 48 48 2096

Follow us