New CSSF Circular on telework calls for action
On April 9, 2021, the Commission de Surveillance du Secteur Financier (the “CSSF”) published CSSF Circular 21/769 on the governance and security structures of supervised companies regarding the execution of orders and activities via telework (“CSSF Circular”).
The requirements set forth in the CSSF Circular address the governance and security requirements in the implementation and application of telework by a CSSF supervised company.
While the CSSF Circular on telework will generally take effect on September 30, 2021, it will not apply in the event of pandemics (e.g. Covid 19 pandemic) or other extraordinary circumstances with a comparable impact on general working conditions, so the requirements will not apply until the Covid 19 pandemic ends.
CSSF approval for teleworking is not required, as it is the responsibility of supervised entities to assess whether their internal rules comply with the requirements of the CSSF Circular on teleworking (taking into account the proportionality principle of size and organization and the nature, scope and complexity of the activities).
According to the CSSF Circular, supervised entities shall identify all risks arising from telework, monitor and mitigate them accordingly. The internal control functions (i.e. compliance and internal audit) must also consider the telework situation in their duties.
Supervised entities must develop a telework policy, review and update existing policies and procedures to address telework. The practical implementation of the telework policy must also be monitored and documented, particularly through a directory or register that discloses the identity and function of employees authorized to telework. The staff of the supervised entities must be trained with regard to telework. In addition, supervised entities must comply with the specific IT requirements related to telework (e.g. encryption) set forth in the CSSF Circular on telework.
Thus, according to the CSSF Circular, all employees, regardless of their function, can in principle be allowed to telework within the limits of the CSSF Circular, whereby the design of teleworking must refer in particular to the robustness of the central administration as well as the security of the systems and data.
SiBeM Capital Partners is happy to provide you with our services to help you fully understand and comply with these requirements in terms of governance, IT security and IT regulation if you wish to implement or maintain your teleworking solutions in accordance with the CSSF rules.