At MFEX by Euroclear, upholding data and information security is seen as fundamental for being able to operate in a safe and successful way, as well as being a trusted and preferred business partner. As an actor in the financial industry, we rely on time-sensitive financial information and pricing in order to operate, and avoiding disruptions to our digital system is therefore key to our success. Failing to adhere to any data regulations or being subject of external cyber threats such as ransomware attacks, are therefore seen as critical risks within MFEX.
MFEX comply with all national legislations in the countries in which we operate, as well as with the EU General Data Protection Regulation (GDPR). In order to ensure compliance, we follow industry best practices such as the NIST Cyber Security Framework, ISO/IEC 27002 as well as the SWIFT Customer Security Control Framework. EBA Guidelines on ICT and security risk management and MAS Technology Risk Management Guidelines. MFEX have a GDPR Policy in place and any complaints or incidents can be reported through our whistleblowing function or directly to the Data Protection Officer. During 2021, MFEX have not identified any substantiated complaints concerning breaches of customer privacy.
Data and information security at MFEX is governed through the Chief Security Officer (CSO), who is located at the Headquarter in Stockholm and oversees the company-wide work with security. The CSO reports to the Chief Technical Officer (CTO) but is also in close dialogue with the Chief Risk Officer (CRO), who reports directly to the Board of Directors (BoD). The daily security operations are carried out through information security officers in Luxembourg, as well as through the Security Operations Center that detects and responds to incidents.
MFEX applies a 5-step approach for working with Information security incidents:
Identify : Asset Management, Business Environment, Governance, Risk Assessment, Risk Management Strategy
Protect : Awareness Control, Awareness & Training, Data Security, Information Protection, Processes & Procedures, Protective Technology
Detect : Anomalies & Events, Communications, Analysis, Mitigation, Improvement
Respond : Awareness Control, Awareness & Training, Data Security, Information Protection, Processes & Procedures, Protective Technology
Recover: Recovery Planning, Improvements, Communications
National Institute of Standards and Technology (NIST) Cybersecurity Framework
Since the cyber security landscape constantly evolve, we continuously oversee our routines and practices to ensure that we evolve and can detect and prevent any new types of threats. One way that we assess the success of our management approach is simply by measuring the number of confirmed breaches or losses of customer data. During the past year, a process has been initiated to improve the security awareness among employees, to prevent potential data breaches due to human errors. The goal is to launch security awareness training that are customized towards the employees’ existing knowledge.