Job Description

About Department

The Supervisory ICT Risk and Cybersecurity Function forms part of the MFSA’s Supervision Directorate, it is cross-sectorial and has been established to focus on one of the Authority’s outlined key strategic priorities – Address ICT risks and digital finance challenges with a focus on strengthening operational resilience within the framework of the Digital Operational Resilience Act (DORA). As a supervisory function, its portfolio of activities includes effective supervision, which aims to ensure that regulated firms within the industry, are effectively managing their ICT risks, and have a resilient cybersecurity framework in place, in line with Acts, Regulations, rules and sector-specific guidelines. The function participates and contributes to various Working Groups, Task Forces and Committees at local and international levels, and develops policies and guidelines for the industry.

The Supervisory ICT Risk and Cybersecurity Function provides expert advice on ICT and Cybersecurity matters to other functions within the MFSA as required. It is also a contributor on emerging strategies especially those that are technology focused. The function is also the contact point for cyber incident reporting by regulated firms.

About Role

DORA foresees that ICT third-party service providers who provide ICT services to financial entities and are identified as critical for the EU financial system (critical third-party providers - CTPPs) will be subject to oversight at the EU level to minimise the risks they expose the EU financial sector to. In practice, this oversight will be carried out by a Lead Overseer, which will be one of the three European Supervisory Authorities (ESAs), i.e. the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), or the European Securities and Markets Authority (ESMA).

The Lead Overseer may request information from CTPPs, conduct off-site investigations and onsite inspections, impose penalties and issue recommendations to CTPPs. It will also cooperate with other EU institutions including the European Union Agency for Cybersecurity (ENISA) and with competent authorities within the EU. The latter will support the Lead Overseer in the conduct of oversight activities and follow-up on the recommendations of the Lead Overseer with the financial entities they supervise. As Lead overseers, the ESAs will run Join Examination Teams (JETs) to oversee each CTPP. The JETs will be composed of members from the ESAs, the competent authorities in the financial sector and possibly some agencies responsible for cybersecurity.

Within this role, you will contribute to the JETs as a member on a full-time basis, as follows: 

• Perform risk assessments to determine areas of oversight focus for the CTPPs;
• Contribute to the preparation of the plan of oversight activities over CTPPs;
• Perform desk-based reviews of policy, procedures, contractual arrangements, financial and other relevant information of critical third-party providers; 
• Perform on-site inspections or other reviews/assessments of CTPPs to assess their risks, in accordance with ICT security standards and requirements;
• Contribute to the preparation and monitoring of recommendations on the activities carried out by the CTPP;
• Perform other oversight activities in the area of your expertise, as appropriate.
• The candidate will need to travel and work abroad regularly as required by the role.

About You

The selected candidate will need to have a solid academic background in ICT or related fields (such as computer science, computer engineering, engineering, information security, software engineering, data analytics, audit, control, compliance, finance and accounting, business administration).

The role calls for an academic qualification in a relevant field of study as provided above, corresponding to completed university studies of at least three years, at National Qualification Framework Level 6 or better duly certified by the Malta Qualification Recognition Information Centre (MQRIC).

You will also posses a minimum of seven (7) years working in one or more of the areas mentioned above.

If you do not have the necessary academic or professional qualifications but you have at least thirteen (13) years of relevant experience within a relevant area, we would still be interested in speaking with you.

You are also expected to possess knowledge and/or expertise gained, ideally within the financial services industry, in at least one of the following areas: 

• Assessment of ICT risks (identifying, analysing, and/or mitigating ICT risks such as cybersecurity threats and/or operational weaknesses);
• Development of ICT solutions or operations (such as cloud computing, telecommunication infrastructure, cybersecurity, data centre operations and/or data analytics solutions); 
• Governance and internal control frameworks for operational resilience, including risk mitigation strategies;
• Third-Party Risk Management (TPRM) – evaluating and monitoring TPRM strategies, including assessing concentration risks, systemic dependencies, and the adequacy of exit plans for CTPPs;

Advantageous criteria:

• Knowledge and/or experience in regulatory provisions (such as DORA and/or other frameworks governing ICT or general risks);
• Professional certifications and/or qualifications in the field of the vacancy notice (such as ICT security, operations, audit and/or internal control);
• Experience in drafting high quality documents (such as assessment reports, policies and/or procedures);

Behavioural competencies:

• Drive for results with flexibility to take on new tasks in a dynamic and fast-paced working environment.
• Communicate clearly and precisely both orally and in writing to different audiences (both technical and non-technical stakeholders).
• Act in line with EU high-standard professional values (such as ethics and integrity, public service, respect, open collaboration, trust and creativity).
• Very good organisation and prioritisation skills and ability to handle large volume of work in an efficient and timely manner.
• Analytical and problem-solving skills.
• Ability to adapt to changing priorities as they arise.
• Ability to build productive and cooperative working relationships with multiple internal and external stakeholders.

Other Information

The MFSA is an Equal Opportunities Employer as certified by the NCPE (National Commission for the Protection of Equality) and is committed to a policy of equal opportunity in all aspects of employment and will take care to avoid any form of discrimination in its recruitment procedures. The MFSA reserves the right to withdraw this call at any time and not to select any of the Candidates.

It is the responsibility of applicants in possession of qualifications awarded by Universities and other similar institutions outside Malta to produce a recognition statement on comparability of qualifications issued by the Malta Qualifications Recognition Information Centre (MQRIC). Applicants should do so preferably at application stage or otherwise at the preliminary interview should an applicant be selected for such interview. Details can be obtained by accessing the National Commission for Further and Higher Education website on www.ncfhe.gov.mt under MQRIC heading.

The MFSA shall ensure that any processing of personal data is in accordance with Regulation (EU) 2016/679 (General Data Protection Regulation), the Data Protection Act (Chapter 586 of the Laws of Malta) and any other relevant European Union and national law. For further details, you may refer to the Data Protection Policy on the MFSA webpage www.mfsa.mt.

Candidates are to note that the submission of any false statement/s or omission, even if unintended, may lead to the cancellation of their application and may render the candidate's appointment liable to termination.

Furthermore, please note that candidates may be asked to submit any documentation in support of the information provided, including but not limited to, proof of qualifications and Police Conduct Certificates.

Public Call Permit: 944/2025