Malta's Financial Watchdog Warns of Uneven Progress on Digital Resilience

Key Takeaways

• Mixed Results: MFSA’s 2024 review showed nearly 90% of Outcomes-based controls were fully or partially achieved, but 21% of baseline assessments were “not met,” signaling uneven resilience.
• Recurring Weaknesses: Gaps were flagged in ICT risk governance, incident classification and reporting, resilience testing, and oversight of third-party ICT providers.
• Audit Limitations: Internal audit teams often lacked ICT expertise to properly review resilience testing programmes.
• Strategic Message: MFSA stressed that digital resilience is not just regulatory compliance but a cornerstone of trust and competitiveness in Malta’s financial sector.

Deep Dive

Malta’s financial watchdog is warning that progress on digital operational resilience, while encouraging, is still uneven across the sector. In a Dear CEO letter published this week, the Malta Financial Services Authority (MFSA) laid out the results of its 2024 supervisory reviews, calling for firms to push further in preparing for the EU’s Digital Operational Resilience Act (DORA).

The regulator’s Supervisory ICT Risk and Cybersecurity (SIRC) function spent 2024 examining firms’ readiness through a dual track of supervisory methods. On one hand, an Outcomes-based framework tested how well institutions were embedding resilience controls in line with regulatory expectations. On the other, more traditional assessments looked at baseline practices across license holders.

The split results tell the story, where almost 90% of Outcomes-based controls were fully or partially achieved, but in the broader sample one in five controls was rated “not met.” The MFSA welcomed the momentum but cautioned that resilience remains patchy and risks creating an uneven playing field.

Weak Links in the Chain

The letter pointed to recurring shortcomings in several areas of the DORA rulebook. Firms often lacked clear governance and integration of ICT risk into enterprise risk management. Incident response procedures showed weak spots too, particularly in classifying and reporting disruptions in a timely, consistent way.

Resilience testing also remains underdeveloped. While some firms have started programmes, the MFSA found little evidence of structured, threat-led testing such as penetration tests or red team exercises. Compounding the issue, many internal audit teams lack the ICT expertise to independently challenge these programs.

Third-party oversight was another vulnerability. Too many institutions still operate with incomplete registers of outsourced ICT providers, leaving them exposed on continuity, confidentiality, and auditability.

From Rules to Reality

Alan Decelis, the MFSA’s Head of Supervisory ICT Risk and Cybersecurity, praised the sector’s commitment but stressed that complacency is not an option.

“The progress demonstrated by license holders in 2024 shows a stronger commitment to embedding digital operational resilience within their organizations. However, as the threat landscape evolves, sustained investment and sector-wide collaboration remain critical to achieving consistent and robust resilience across the financial system,” he said.

For the MFSA, resilience is not just a box-ticking regulatory exercise. The Authority framed it as a cornerstone of trust and competitiveness in Malta’s financial services industry, and one that requires constant reinforcement as digital threats grow more sophisticated.

The message will take centre stage at the upcoming Cyber Finance Summit on October 15–16 in Valletta, where regulators, financial institutions, and ICT providers will share strategies for navigating the digital age.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.