On 17 March 2020, the CSSF issued an FAQ clarifying the recommended minimum IT security requirements for remote access implemented to meet the demands of the exceptional situation created by Covid-19 and issuing minimum recommendations with respect to:

  1. high-privileged access: identification of user profiles with the highest risk levels (IT administrators, employees in charge of transactions/payments, etc.) and the implementation of proper security measures (strong authentication, access from a secure laptop, logging and review of sensitive actions);
  2. secure communication: encryption of communication channels (e.g. use of VPN with AES-256, RSA-2048 encryption);
  3. connection monitoring: controls to ensure, at least, that remote connections are consistent with recourse to teleworking (i.e. access during office hours, geofencing);
  4. the duration of remote access: remote access introduced due to the exceptional Covid-19 situation should be temporary and disabled once the exceptional circumstances have passed.

The CSSF is further "urging financial institutions under its prudential supervision to favour working from home as part of their business continuity plans. As already mentioned in the communication of 2 March, satisfactory IT security conditions should be guaranteed and no prior authorisation is needed for such work arrangements."

As coronavirus (COVID-19) pandemic is impacting people's daily lives and business operations across the globe, we have taken several measures to ensure our clients benefit from the highest quality service without disruption. Please read about our approach in our COVID-19 Business Continuity Plan and our special COVID-19 website section with more information on this topic.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.