IT regulation and IT Outsourcing in Luxembourg - what you need to know

This training aims to provide an introduction to the main IT regulatory requirements applicable to CSSF Supervised entities with a specific focus on the topics of ICT & Security Risk management (CSSF 20/750), IT Outsourcing and cloud computing (CSSF 22/806), Fraud & Incident reporting (CSSF 11/504) and Teleworking requirements (CSSF 21/769). These requirements will be supported by good market practices and practical examples. The goal is to increase your comfort level when confronted with IT specific regulations and to strengthen your Company’s oversight and IT risk management capabilities. This training course is designed as an essential step to assist you to address the following challenges, among others:

• What is the current IT regulatory framework in Luxembourg?
• Which IT regulations are applicable to your organisation (including Investment Fund Managers, Banks, PSFs, E-money and payment institutions)?
• What are the main ICT risks to be considered in the risk management framework of your organisation?
• How to assess the ICT risks? What controls should be foreseen?
• What does IT outsourcing mean from a regulatory perspective?
• What are the key considerations prior to your IT outsourcing arrangements?
• What are the key aspects to know prior to your implementation of a telework solution within your organisation?

Objectives

By the end of this training, the participants will be able to:

• Have a clear overview of the main applicable IT regulations
• Understand the key considerations and the common pitfalls while strengthening the IT regulatory framework;
• Identify the main aspects of managing IT/cloud outsourcing and ICT related risks;
• Describe the key documentation requirements.

IT Regulatory Landscape in Luxembourg

• Main provisions defined by laws and circulars, concepts and available guidance
• Key challenges and common pitfalls

ICT & Security Risk Management as per CSSF 20/750

• Governance & Risk management
• Information Security
• ICT operations / Change / Project management
• Business continuity management
• Payment services users relationship management
• Main ICT risks and oversight
• Key documentation to maintain (incl. procedures & policies, risk register, risk reporting, ICT assets inventory)

IT Outsourcing & Cloud computing

• Concept of IT outsourcing materiality
• Key focus of IT outsourcing lifecycle
• Outsourcing & Professional secrecy requirements
• IT outsourcing vs. Cloud outsourcing
• Assessment of the applicability of Cloud specific regulations
• Role & Responsibilities
• CSSF prior notification request process
• Main outsourcing risks and oversight
• Key documentation to maintain (incl. materiality assessment, due diligence, risk assessment, cloud register)

Fraud & Incident management as defined by CSSF 11/504

Teleworking requirements (CSSF 21/769)