Alan Decelis, Head of ICT Risk and Cybersecurity at the MFSA: "Cyber resilience goes beyond individual institutional preparedness it's about understanding and mitigating systemic risks"

As cyber threats increasingly pose systemic risks to financial stability, regulators are shifting their focus from institution-level defences to macro-prudential oversight of the entire financial ecosystem. Alan Decelis, Head of Risk and Cybersecurity at the Malta Financial Services Authority (MFSA), brings a unique perspective on this challenge, having recently hosted the Cyber Finance Summit—a landmark event convening experts from the European Commission, Bank of England, Reserve Bank of India, and major technology providers. In this panel discussion, Decelis explores how interconnectedness, third-party dependencies, and cross-border threats are reshaping the regulatory approach to cyber resilience, and why international collaboration has become essential to protecting financial stability in an increasingly digital world.

How do you define cyber resilience in a macro-prudential context, and how does it differ from resilience at the firm level?

In a macro-prudential context, cyber resilience goes beyond individual institutional preparedness—it's about understanding and mitigating systemic risks that could cascade through the financial system. At the firm level, resilience focuses on protecting individual entities' operations, data, and continuity. However, from a macro-prudential perspective, we're concerned with interconnectedness, concentration risks, and the potential for cyber incidents to trigger broader financial instability.

Given that cyber threats do not respect borders. What practical steps should regulators take to improve international collaboration on cyber resilience?

International collaboration is absolutely critical and a key motivation for why we decided to host the Cyber Finance Summit. At the MFSA, we actively participate in European System of Financial Supervision working groups and maintain regular dialogue with international stakeholders including the IMF and credit rating agencies.

Practical steps include establishing formal information-sharing protocols for threat intelligence, harmonising supervisory expectations across jurisdictions, and conducting cross-border crisis simulation exercises. We need consistent regulatory frameworks—which is why initiatives like DORA are so important—to create a level playing field and prevent regulatory arbitrage.

The Cyber Finance Summit itself demonstrates Malta's commitment to fostering this international dialogue, bringing together experts from the European Commission, Bank of England, Reserve Bank of India, Dubai Financial Services Authority, and beyond. These platforms for knowledge exchange are essential for building collective resilience against cyber threats. 

What are the biggest systemic cyber risks that threaten financial stability today?

Several systemic risks keep us vigilant. First, the concentration of critical ICT services among a small number of third-party providers creates significant dependency risks. A major incident affecting a cloud service provider or payment infrastructure could simultaneously impact multiple financial institutions.

Second, the evolving threat landscape, particularly ransomware targeting financial institutions and critical infrastructure, poses direct operational risks. The sophistication and coordination of cybercriminal organisations, sometimes with state backing, continues to escalate.

Third, interconnectedness within the financial system means that cyber incidents can propagate rapidly through payment systems, settlement networks, and shared platforms. 

We're also watching emerging risks from new technologies such as quantum computing's potential to compromise current encryption standards, and AI-driven attack vectors that could outpace traditional defences. 

How is the MFSA integrating cyber resilience considerations into its financial stability assessments? 

We've embedded cyber resilience as a core component of our financial stability surveillance framework. This involves several layers: continuous monitoring of ICT risk across supervised entities, participation in European stress-testing exercises that include operational resilience scenarios, and regular assessment of concentration risks in third-party service providers.

What impact do you foresee DORA having on financial stability and systemic cyber resilience in Malta? 

DORA represents a transformative regulatory development for Malta's financial sector. The regulation's comprehensive approach—covering ICT risk management, incident reporting, operational resilience testing, third-party risk management, and information sharing—will significantly enhance our systemic resilience.

What are the key takeaways and learnings from the MFSA Finance Summit? 

The Summit has been an exceptional platform for advancing cyber resilience dialogue. Several key takeaways stand out:

First, the need for a holistic approach, combining regulatory frameworks, supervisory oversight, technological innovation, and industry collaboration. No single actor can achieve resilience in isolation.

Second, the importance of staying ahead of emerging threats. The sessions on quantum computing and artificial intelligence highlighted both opportunities and risks that we must prepare for now.

Third, the value of international cooperation. Hearing perspectives from the European Commission, Bank of England, Reserve Bank of India, and other jurisdictions reinforced that we're facing common challenges that require coordinated responses.

Finally, the critical role of supply chain security and third-party risk management. The insights from major cloud providers like Microsoft and Amazon, combined with the regulatory perspective from the DORA oversight framework, have provided valuable understanding of how we can better manage these systemic dependencies.

The Summit positions Malta not just as a participant in global cyber resilience efforts, but as a leader in convening these crucial conversations within the financial services sector.