Best practice

Increased protection

Do the authorities recommend additional cybersecurity protections beyond what is mandated by law?

The chief international standards relating to information security are ISO 27001 and 27002 security standards. Several organisations choose to implement the provisions of these standards to reduce risks to their computers and networks, without obtaining the corresponding certification. According to Part 5 of the Subsidiary Legislation 460.35, Measures for high common level of security of network and information systems order, digital service providers shall take appropriate and proportionate technical and organisational measures to manage the risk posed to the security of network and information systems which they use in the context of offering services within Malta.

How does the government incentivise organisations to improve their cybersecurity?

Capital investments made in relation to an organisation’s information technology infrastructure may be eligible for tax credits on the expenditure incurred under the Micro Invest Scheme, promoted by the Maltese government agency, Malta Enterprise, which is responsible for providing fiscal and other incentives to business.

Identify and outline the main industry standards and codes of practice promoting cybersecurity. Where can these be accessed?

In the local telecommunications industry, one such code of conduct exists, signed by the major industry players promoting cybersecurity in accordance with the European Framework for Safer Mobile Use by Young Teenagers and Children, to which they are signatories. This code of conduct relates to the content provided by the communications providers, and not to internet content in general. This code of conduct is publicly available and may be accessed on the telecommunications providers’ websites.

Are there generally recommended best practices and procedures for responding to breaches?

In the remote gaming business, the best practices currently in place are the safekeeping of all data related to the cyberthreat, the setting up of a dedicated team to identify the source of the threat and ensure proper steps are taken to avoid recurrence of such incident, and the education of the employees to ensure that all employees are aware of the threats and the importance of following the company’s procedures and policies. Where necessary, third-party firms are engaged to perform penetration tests to ensure that the systems used are adequately secure. According to Subsidiary Legislation 460.35, Measures for high common level of security of network and information systems order, any security breach affecting a designated operator of a digital service provider should be notified to the Malta Communications Authority by the computer security incident response team.

Information sharing

Describe practices and procedures for voluntary sharing of information about cyberthreats in your jurisdiction. Are there any legal or policy incentives?

At present, no legal or policy incentives exist as such that target the voluntary sharing of information relating to cyberthreats.

How do the government and private sector cooperate to develop cybersecurity standards and procedures?

The process of enacting legislation and regulations applicable to the cybersecurity and ICT field is one that involves detailed discussions and consultation briefings involving key industry players, stakeholders in the field, and the general public to pool ideas with governmental bodies. This helps to ensure that regulations created for this field in which newer and more complex risks are constantly emerging are efficiently targeted in the creation of cybersecurity standards and procedures.


Is insurance for cybersecurity breaches available in your jurisdiction and is such insurance common?

Insurance coverage for cybersecurity threats is increasing in popularity in Malta at the same time as information technology companies continue to set up their businesses here. As cybersecurity breaches are becoming a major risk for modern data-centric organisations, it is beneficial to cover this risk in an appropriate insurance policy that can cover data loss incidents, business interruptions and network outages. However, though an insurance policy can cover the financial risks associated with security breaches, including the damage caused to third parties, no policy can ever bring back lost data or recall leaked sensitive information or erase potential reputational damage. Accordingly, insurance policies are not a substitute for, and should always work in conjunction with, data security policies and processes that minimise the risk in the first place.