The European Securities and Markets Authority (ESMA) and Luxembourg's Financial Sector Supervisory Authority (CSSF) have issued press releases in relation to the impact of the COVID-19 virus outbreak on the stability of financial markets.

After examining the market situation and contingency measures implemented by supervised entities, ESMA has issued the following recommendations to market participants:

  • Business continuity planning – all financial market participants and their infrastructures should be ready to deploy contingency plans and ensure operational continuity aligned with their regulatory obligations
  • Market disclosure – any relevant significant information which concerns the impact of COVID-19 on their fundamentals, prospects or financial situation should be disclosed by the issuers, in keeping with their transparency obligations pursuant to the Market Abuse Regulation
  • Financial reporting – issuers should, either in their 2019 year end or in their interim financial reports, provide transparency regarding the actual and potential impacts of the outbreak on their business activities and financial situation
  • Fund management – asset managers are expected to continue applying risk management requirements and adjust accordingly

The CSSF, for its part, has stated that it will closely monitor market developments, particularly the liquidity situation, which is essential in terms of crisis management. Acknowledging the daily operational challenges faced by supervised entities, the CSSF has vowed to refocus its interventions towards operations that are crucial in preserving financial stability as well as investor and consumer protection, and to continue supporting the financial sector through regular communication.

Noting that supervised entities had already started to implement business continuity plans by taking into account the relevant guidelines, the CSSF encouraged them to also remain attentive to the elevated IT security and fraud risks.

Following recent developments in Luxembourg and the EU, the CSSF has issued its first FAQ on COVID-19, urging entities under its supervision to favour working from home and making clear that no prior authorisation was required for such arrangements.

The CSSF also reminded entities that each of them were responsible for determining the necessary conditions to allow for remote working, and that it was incumbent upon them to weigh such conditions against the potential risks involved.

As guidance, the CSSF issued the following minimum recommendations:

  • High privileged access – users presenting the highest risks (ie IT and transaction/payment officers) should be identified and proper security measures should be implemented – at least for them, and expanded more widely, where possible. These measures should include strong authentication, secure laptops managed by the professional, logging and ex-post review of actions carried out.
  • Secure communication – encryption should be used to secure communication channels (ie VPN solutions with AES-256, RSA-2048 encryption).
  • Connection monitoring – remote connections should come from Luxembourg and the neighbouring countries (geofencing), and disabled outside of office hours.
  • Exceptional situation and limited time period – remote access should be temporary and considered as a time-limited response to an exceptional situation; activating conditions (trigger events) to authorise and disable remote access should be defined by professionals who should ensure that such access is disabled once the exceptional situation is over.

Both ESMA and the CSSF have stressed the importance of maintaining an ongoing and active cooperation between national and European competent authorities. In addition, ESMA has also stressed its readiness to use its powers to ensure the orderly functioning of markets, and safeguard financial stability and investor protection.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.