Sustainability Report 2022
Governance
Data & information security
Having a robust information and data security management system is fundamental for all companies. This is especially critical for MFEX, considering our reliance on time-sensitive financial information to deliver the best experience for our clients.
We recognize that effective governance is critical to ensuring secure information and data security practices. Our organisation has implemented a governance framework that includes the following elements :
Risk Management:
We conduct regular risk assessments to identify and assess potential security risks to our information and data assets. Based on the results of these assessments, we implement appropriate controls and mitigation measures to reduce the likelihood and impact of security incidents.
Compliance and Legal Requirements:
We comply with applicable laws, regulations, and industry standards related to information and data security. Our information security team actively monitors changes in regulatory requirements and ensures that our security measures are aligned with these requirements. The following regulation has been accommodated:
EBA Guidelines on ICT and Security Risk Management
SWIFT Customer Security Control Framework
CSSF 20/750 Requirements regarding information and communication technology (ICT) and security risk management
CSSF 22/806 Outsourcing arrangements
MAS Guidelines on Technology Risk Management
MAS Notice on Cyber Hygiene
Reporting and Accountability:
Information and data security is overseen by the Chief Security Officer (CSO), located at our headquarters in Stockholm. We have local information security officers based in Luxembourg, France, and Sweden. CSO reports to Chief Technical Officer (CTO), Chief Risk Officer (CRO), other MFEX entities and stakeholders, the status of our security measures, incidents, and compliance with policies and procedures. CRO reports directly to the Board of Directors (BoD).
Continuous Improvement:
We are committed to continuously improving our information and data security practices. We regularly review and update our security measures based on feedback, lessons learned from security incidents, and changes in technology and industry best practices.
Policies and Procedures:
We have established comprehensive policies and procedures that outline our information and data security requirements, standards, and best practices. These policies and procedures are regularly reviewed and updated to reflect changes in our business environment and the evolving threat landscape. We follow the guidelines of the National Institute of Standards and Technology (NIST) Cybersecurity Framework, which consists of five key functions: Identify, Protect, Detect, Respond and Recover. Any complaints or incidents related to customer privacy can be reported through our whistleblowing function or directly to our Data Protection Officer (DPO). We are proud to report that in 2022, MFEX did not receive any substantiated complaints regarding breaches of customer privacy, and we did not experience any confirmed breaches or losses of customer data.
