This training aims to provide an introduction to the main IT regulatory requirements applicable to CSSF supervised entities with a specific focus on the topics of ICT and security risk management (CSSF 20/750), IT outsourcing and cloud computing (CSSF 22/806), incident reporting process (CSSF 24/847) and teleworking requirements (CSSF 21/769).
This presentation will be supported by good market practices and practical examples. The goal is to increase participants' comfort level when confronted with IT specific regulations and to strengthen their company’s oversight and IT risk management capabilities.
This training course is designed as an essential step to assist participants in addressing the following challenges, among others:
- What is the current IT regulatory framework in Luxembourg?
- Which IT regulations are applicable to your organisation (including investment fund managers, banks, PFS, e-money and payment institutions)?
- What are the main ICT risks to be considered in the risk management framework of your organisation?
- How to assess the ICT risks? What controls should be foreseen?
- What does IT outsourcing mean from a regulatory perspective?
- What are the key considerations prior to your IT outsourcing arrangements?
- What are the key aspects to know prior to your implementation of a telework solution within your organisation?
Duration: 4h
Language: Available in English
Number of participants: up to 15
Available as intra-company course (i.e. dedicated session on demand)
Objectives
By the end of this training, participants will be able to:
- have a clear overview of the main applicable IT regulations;
- understand the key considerations and the common pitfalls while strengthening the IT regulatory framework;
- identify the main aspects of managing IT/cloud outsourcing and ICT related risks;
- describe the key documentation requirements.
Content
- IT regulatory landscape in Luxembourg
- Main provisions defined by laws and circulars, concepts and available guidance
- Key challenges and common pitfalls
- ICT and security risk management as per CSSF 20/750
- Governance and risk management
- Information security
- ICT operations/change/project management
- Business continuity management
- Payment services users relationship management
- Main ICT risks and oversight
- Key documentation to maintain (incl. procedures and policies, risk register, risk reporting, ICT assets inventory)
- IT outsourcing and cloud computing
- Concept of IT outsourcing materiality
- Key focus of IT outsourcing lifecycle
- Outsourcing and professional secrecy requirements
- IT outsourcing vs. cloud outsourcing
- Assessment of the applicability of cloud specific regulations
- Roles and responsibilities
- CSSF prior notification request process
- Main outsourcing risks and oversight
- Key documentation to maintain (incl. materiality assessment, due diligence, risk assessment, cloud register)
- ICT related incident reporting requirements as defined by CSSF 24/847
- Teleworking requirements (CSSF 21/769)
Target audience
- Chief risk officers and (operational) risk managers
- Regulatory responsible and compliance officers
- Internal auditors
- Head of IT, information security officers and IT officers
- IT services providers serving the entities under the supervision of the CSSF
Our lead experts
This course is coordinated by Cécile Liégeois, Partner, and presented by Xiaoyi Fang and Vojtech Volf, Senior Managers at PwC Luxembourg.
With 23 years of professional experience in Luxembourg, Cécile has developed a deep understanding of the regulations governing banking and investment firms, internal governance, outsourcing arrangements (BPO/ICT/Cloud), and operational/ICT risk management. She leads projects for the implementation of new regulations, focusing on their business, regulatory, and operational impacts.
Cécile also possesses experience in external audits (financial and regulatory) of entities within the financial sector, particularly in the banking industry. Her expertise extends to other professionals in the financial sector, such as investment firms, support and specialised Professional of the Financial Sector (PFS) entities, management companies, and investment funds.
Xiaoyi Fang is a senior manager with in-depth experience in implementing European regulatory requirements, in reviewing the compliance framework for financial institutions and familiar with EU regulatory process in financial services.
She has driven and contributed to a number of projects in complex structure and dynamic environments.
Vojtech is a senior manager in our PwC regulatory and compliance department specialised in ICT compliance.
He has been working on IT compliance related topics for over 6 years and for PwC since 2018.
Vojtech works on various IT subjects related to IT compliance, PSD2, outsourcing (BPO/Cloud/IT), IT and security risks, privacy as well as payment related aspects. He also assists in various licence application processes, be it for e-money or payment institutions, IFMs where he focuses on IT aspects, data privacy as well as operational aspects for payments (payment flows, safeguarding, segregation etc.).
