Teleworking is now gaining ground in most workplaces. This implies the need for guidelines to regulate processes based on teleworking solutions. In this regard, on April 9, the CSSF published Circular 21/769 on Governance and security requirements for Supervised Entities.
The Circular focuses on three purposes:
To contribute to prudent management of teleworking.
To ensure the proper organization of entities supervised by the CSSF.
To ensure the preservation of information security.
Whom does it address?
The Circular is limited to the regulatory requirements of the financial sector. It does not apply to any contractual relationships between supervised entities and their employees. All entities under CSSF supervision in Luxembourg, including abroad branches, and Luxembourg branches of entities based outside the European Economic Area, will be targeted by the Circular's requirements. However, its scope excludes extraordinary scenarios, such as the current pandemic situation, or contexts that require Disaster Recovery or Business Continuity Plan activation. In addition, no CSSF approval will be required to implement, maintain, or extend teleworking solutions for the staff of a supervised entity.
CSSF Circular on teleworking: what are the guidelines?
Teleworking is defined as any activity carried out regularly, or on an occasional and voluntary basis, during established working hours and in a different place from the official workplace. The work must be provided using advanced technological solutions, with the approval of the employer.
The Circular underlines that, unless impediments to regular operations prevent it, all employees can telework, independently of their role.
For teleworking to be considered as such, entities must assess:
Risks associated with labor, tax, corporate, and social security law
Risks of the execution of tasks by users involved in confidential execution
Data protection risks
Furthermore, entities must ensure:
Computer network security
Confidentiality and integrity protection
Accessibility to data and information systems
The Circular sets out further criteria that define teleworking:
A solid central administration in Luxembourg
Critical tasks performed continuously by a responsible member of staff on site
Limited teleworking time
Presence of at least one authorized manager in the corporate office
3. CSSF Monitoring
To evaluate proper implementation, the circular recommends that statistics and operational incidents related to teleworking should be included in the entity's annual reports to be stored and reported to the CSSF.
4. Security Measures
The CSSF lists some additional security measures to guarantee the confidentiality of information used during teleworking:
1. Teleworking security policy and risk awareness
Supervised entities must apply security rules to the ICT system. Similarly, they are obliged to educate their employees about the risks and duties of teleworking, e.g., through training courses.
2. ICT security requirements
The Circular also highlights additional security standards that supervised entities must implement on their ICT systems.
Implementation of the "need-to-know" principle and security rules guaranteeing access to internal data and information of the supervised entity.
Control over the security of devices used to connect remotely to the ICT system.
Essential steps for accessing internal data:
- proper authentication of the remote worker;
- identification of the device used for the remote connection;
- the remote location of the connection;
- the connection time.
Logging process for successful monitoring of connections.
Proper communication chain operation from the remote device to enterprise infrastructure.
Technological audit for new security weaknesses.
The CSSF Circular 21/769 will become effective on September 30, 2021. Our IT regulatory specialists can help you ensure these requirements are fully understood and met when implementing or maintaining your telecommuting solutions. Don't hesitate to contact us!