Since 2020, the whole world has been living with the Covid-19 health crisis. Each company has adapted its working methods, giving way to a hybrid system, split between working in the office and working at home.

In order to establish a legal framework, the Commission de Surveillance du Secteur Financer (CSSF) issued Circular 21/769 introducing the rules to be implemented within each PFS entity. Although it was supposed to come into force at the time of the announcement of the end of the pandemic, it will come into force on January 2nd if no new governmental measures are announced by then.

You want to know more and evaluate your compliance ? We explain it all to you !

 

Scope of application

Circular 21/769 concerns all regulated entities including the financial sector, foreign branches of Luxembourg entities and branches from countries outside the European Economic Area provided that these home countries have also ruled on teleworking! Beware, if this is not the case, the entities could take refuge behind the legal notions of their respective countries ! So do not neglect this step!

 

HR part

Through its circular, the CSSF asks all regulated entities to define a telework governance framework. This is a document, a policy that defines the right to telework, to whom it is addressed and the measures to achieve it. A section on system security should also be included in this policy.

Be aware that when a company triggers a disaster plan, so that it can no longer operate from its own premises, using the BCP rooms of third party companies does not fall within the scope of teleworking.

General Principles

The general principles are to maintain the key axes that the financial sector requires from us. By this we mean:

    • – Confidentiality, integrity and availability of data and information systems. The financial sector must be vigilant about activities done at home. Companies will have to describe which tasks they will allow and which they will not. There will also be a need to fill out the critical activity log that will need to be established by companies and management committees.
    • – A teleworking solution does not require authorization from the CSSF. Indeed, this circular is issued by the Commission so that PFS can respect the rules related to telework as well as provide a framework and best practices to secure the workspace.
    • – Differentiate the levels of privileges granted to users by clearly indicating the levels of privileges allowed in telework.

Legal Provisions

Circular 21/769 requires regulated companies to report. All the elements reported will allow the CSSF to certify that the entities concerned comply with the circular.

But that is not all. The circular also requires us to comply with country legislation, including cross-border agreements. When you are building your corporate governance, think about the method you are going to use to document this telework and to control it. You need to keep records of the number of days teleworked and ensure that cross-border agreements are not exceeded.

Always be sure to inform your employees of current agreements, maximums not to be exceeded, and to include all of these provisions in governance systems. Tip: This policy must be shared and agreed upon by all employees. It will be an appendix that will include all the provisions of the circular and will be attached to the pre-existing employment contract.

Basic requirements

In the CSSF circular 21/769, the requirements are essential and must be respected:

    • – Define the number of teleworking employees and the location : this may sound surprising but not everything is teleworking. Indeed, vacations, training and illness are not telework. It is therefore necessary to define what telework is and where the employee can do it.

Secondly, it is the employer’s duty to verify that the location is respected.

It is also important to note that exceptions may be made in the policy. By  “exceptions” we mean that VIPs or members of management may be required to use telecommuting devices in locations other than their homes.

    • – Respect work time: Telecommuting does not mean that employees are subservient to their employer 24/7. It is necessary to indicate which time slots are for work and which are for private life. Note that office time is the same as home time.
    • – Presence of a member of the management: The circular requires a representative part of the management. One member must be present on site at all times. However, the CSSF takes into account the notion of distance for which it accepts a limited presence. It wishes to be able to meet with the management at any time within an hour or so. If our home or the management’s home is more than one hour away, it is the company’s duty to set up a rotation to guarantee at least 50% of the management’s presence.
    • – Ensuring critical activities at all times: these activities are often carried out by the management and the latter must be present for at least 50% of the time, so the activities should be covered without any problem. However, complex cases must be anticipated and background treatments must be managed through risk analyses to define unauthorized activities while teleworking. This is a document that all entities should have in addition to the basic policy in place.
    • – Reporting (essential on an annual basis): Where are the risk analyses, the gap analysis, how will the entity measure critical activities, how to ensure that the policy is respected?
    • – Avoiding disruptions : provide the framework for the employee’s telecommuting and ensure that he or she has everything needed at home to work properly. Coaching the employee to feel like they are in the office. Ensure that the device is correct and functional.
    • – Provide face-to-face accountability.

Homeworking

 

IT security, or how to protect your entity to be compliant with the circular ?

As a service provider, we were keen to opt for an efficient solution, offering better management, control and auditing of all connections on the client’s infrastructure. Wallix Bastion meets these needs and allows for seamless compliance with CSSF 21/769.

In the same spirit, managing peripherals and respecting professional secrecy and data protection requirements are equally important points that must not be neglected.

This is why the Board of Directors of the supervised entities is required to maintain a complete and precise policy framing telework at the level of :

– Telecommuting activities,

– Office activities,

– Number of telecommuting employees,

– Strategic functions,

– Authorized management presence…

Please note that the telework policy must be reviewed and validated annually by the management.

The supervised entities must keep the evidence allowing the control of the respect of the obligations resulting from the telework policy (at the disposal of the CSSF).

Internally, annual reports must include any anomalies that may have occurred while teleworking, include statistics and the report must be validated by management.

 

Risk Awareness

This is essential for the successful operation of telework. Every employer must ensure that all staff members are made aware of the risks and practices of telework.  It is annual, mandatory and covers all technical and organizational risks that companies might face.

Rsecure sets up online awareness trainings that allow to train the teams to adopt the right behaviors.

 

Access devices to use

The company needs to keep control of the remote access devices to avoid any problems. The monitored entity should ensure that remote sessions are encrypted (e.g., use of Citrix), and that the recording medium is encrypted. It is also forbidden to use external media (storing data on a USB stick or other). Last but certainly not least, it is strictly forbidden for employees to send messages on private messaging systems (Yahoo, Gmail…) including company information.

So be sure to check the content of your messages for potentially sensitive information !

 

How to evaluate the compliance of my company ? The 21/769 report !

Rsecure has set up a web interface with a self-assessment tool that allows you to assess your compliance. The idea is simple, each company has to answer a series of questions concerning :

– ICT & security risk requirements,

– Compliance with other legal requirements,

– The basic requirements,

– Internal organization and internal control arrangements.

Once the questionnaire is completed, a report is automatically sent to you with the points of attention regarding the adherence to this circular. For example, we find the categories of questions that the company has answered as well as the level of maturity on the control, on the document and on the average risk (image below).

21/769 report

Would you like to receive more information about the circular or do you have a question ? Feel free to send us sales@rcube.lu and review our webinar : https://bit.ly/3nOttiG