AFM publishes Principles for Information Security
A set of Principles for Information Security has been published by the AFM to provide guidance for financial firms and audit firms.
The Dutch Authority for Financial Markets (the AFM) has published a set of Principles for Information Security on 19 December 2019. To view the AFM publication, click here.
The introduction to the principles notes that the management of information security has become increasingly important due to increasing digitalisation of firms and a growth of the threat of cybercrime.1 The principles provide guidance for financial firms (including AIFMs)2 and audit firms in the interpretation of legal provisions. The principles have been drawn up further to input obtained in May 2019 via a public consultation.
The document includes principles on 11 different topics, including: policy, governance, identifying threats and assessing risks, people and culture, technology, processes, physical security, data, response and recovery, outsourcing and chain perspective. Practical examples of guidance given in the principles include (but are not limited to):
- Periodic testing of implemented information security measures.
- Making use of internationally accepted information security & cyber security frameworks.
- Firms making clear legally binding agreements with outsourcing parties with respect to cooperation and division of responsibilities in the field of information security, noting the right to carry out audits at the suppliers.
- The sharing of information on security risks and threats within chains of linked parties and within the sector.
The AFM notes on its website that it “expects firms to take appropriate measures to guarantee the continuity and reliability of their IT and provision of information, and to limit the impact of any security incidents.”3 Financial firms should take into account the AFM principles when managing IT security.
1. AFM Principles for Information Security pg. 4
2. And also including AIFs, UCITS, management companies of UCITS, investment firms, custodians, financial service providers (other than banks, insurers and financial institutions), pension funds, data reporting services providers and regulated markets.