Erdem & Erdem Law Office | View firm profile
Introduction
As stated under Article 128 of Capital Markets
Law No. 6362[i] (“Capital
Markets Law”), one of the duties of the Capital Markets Board (“CMB”), among others, is to determine the procedures
and principles for the supervision and operation of the management of the
information systems of capital markets institutions, publicly held companies,
stock exchanges and self-regulatory establishments. To this end, based on the
provisions of the Capital Markets Law, Communiqué on the Management of the
Information Systems (VII-128.9) (“Management Communiqué”), together with the
Communiqué on the Independent Auditing of Information Systems (III-62.2) (“Auditing
Communiqué,” Management Communiqué, and the Auditing Communiqué, shall
collectively be referred to as the “Communiqués”) have been published in the
Official Gazette dated 5 January 2018 and numbered 30292. Both the Management
Communiqué and the Auditing Communiqué have entered into force with
their publication in the Official Gazette. While the procedures and
principals applicable to the management of the information systems for the
listed establishments therein are determined under the Management Communiqué,
independent auditing of information systems is further regulated under the Auditing
Communiqué. This article will mainly focus on the scope of the Management
Communiqué, innovations introduced thereunder, especially the
obligation to keep the systems in the Republic of Turkey and, finally, the
sanctions.
[i] Capital Market Law numbered 6362,
OG, No. 28513, December 30, 2012.
The Scope of the Management
Communiqué
Both of the Communiqués are applicable to
Borsa Istanbul A.S., other market places organized with the stock exchanges and
market operators, pension mutual funds, Istanbul Takas ve Saklama Bankasi A.S.,
Merkezi Kayit Kurulusu A.S., portfolio depository establishments, Sermaye
Piyasasi Lisanslama Sicil ve Egitim Kurulusu A.S., capital markets
organizations, publicly held companies, Capital Markets Union of the Republic
of Turkey, and the Appraisers Association of the Republic of Turkey. Banks and
insurance companies, financial leasing, factoring and financing companies, from
amongst the aforementioned institutions, establishments and associations would
comply with the requirements of their specific legislation in respect of the
management of the information systems. Compliance with such specific
legislations would be regarded as satisfaction of the requirements of the
Communiqués.
Information Systems: Primary
and Secondary Systems
The Management Communiqué defines the primary
system as “the complete system comprising
of the infrastructure, hardware, software and data, ensuring to save and use
the information required for the institutions, establishments and associations
to perform their obligations stated under the legislation, if and when required,
and enabling the access to such information in a secure manner.” It is set
forth in the Management Communiqué that the secondary system means “the primary system backups, which enable
uninterrupted access to all information in the event of any interruption to the
activities carried out by the primary systems, and if and when required for
institutions, establishments and associations to perform their obligations
stated under the legislation with an aim to keep the activities in a
sustainable manner within the interrupted periods.”
In light of the above, the legislator defines
the information systems in a broad manner so as to include all information
systems used for the performance of the activities within the scope of the
Capital Markets Law, or as required by the CMB.
It is stated under Article 26 (Sustainability of the Information Systems)
of the Management Communiqué that the institutions, establishments and
associations are obliged to keep the primary and secondary systems within the
Republic of Turkey. As in practice, so many publicly held companies are
currently keeping their iCloud systems abroad; such a newly introduced
provision created discussions as to whether those companies will be required to
transfer their systems into the Republic of Turkey. However, the CMB announced
a public disclosure in the CMB Bulletin dated 8 March 2018 and numbered 2018/10
in order to clarify such discussions. The CMB stated that the information
systems of the publicly held companies, which are not subject to independent
audit, are not required to keep their primary systems within the Republic of
Turkey. The CMB further stipulates that the scope of the publicly held
companies, which are subject to independent audit, is planned to be gradually
extended. For those companies that will be subject to independent audit, they
will be obliged to keep the primary systems from the period, under which they
are obliged, within the Republic of Turkey.
Management of the
Information Systems
The Management Communiqué is entered
into force in order to ensure the formation and management of the information
systems in a secure, efficient, sustainable manner, and to determine the
procedures and principles applicable thereto.
For this purpose, pursuant to the Management
Communiqué, the policies for the establishment of the information systems,
operation, management and usage thereof, as well as all sorts of information
security related policies, such as confidentiality, integrity and, if and when
needed, availability of the information, should be prepared by the top
management and approved by the board of directors. Following its approval, the
policies should be announced to the employees.
The top management is responsible for the
monitoring of the application of the policies; however, the responsibility for
organizing effective and sufficient controls is delegated by the board of
directors. The Management Communiqué further sets forth that the top management
is responsible to create a certain mechanism for review of the policies and all
the responsibilities annually, determination of the risks and performing risk
management, monitoring of those events that are incompliance with the
information security and evaluation of those, providing education to the
employees to be aware of the information security, etc.
The Management Communiqué stipulates that the institutions,
establishments and associations that fall within the scope of the obligations
shall appoint a well-equipped and qualified individual who is responsible for
performing the requirements of the processes and principles in respect of the
security of the information systems and monitoring of the same and, further,
reporting to the top management the risks and the management of the risks. The
respective Communiqué further requires institutions, establishments and
associations to hire a nationally or internationally certified independent
person to run a leakage test at least once a year.
The legislator states the minimum requirements to
be fulfilled regarding the control of the information systems under the Management
Communiqué, which are, briefly, (i)
defining the process owner, roles, activities and liabilities, (ii) defining the controlling periods,
periodically, and (iii) defining the
aims and purposes of each of the controlling periods and measurable
performances. The respective Communiqué further regulates, among others, that
the asset (comprised from information) management, segregation of duties for
the system, database and development of the implementations, security, ID
authentication, authorization, audit trail mechanism, the principles for
informing the customers and, finally, limited exceptions for certain institutions,
establishments and associations in respect of certain obligations.
Sanctions
In the event of any non-compliance with the
provisions of the Management Communiqué, Article 103 (General Principles) of the Capital Markets Law will apply.
Accordingly, an administrative fine from TRY 27,047 up to TRY 338,088 will be
assessed.
Conclusion
With the introduction of the
Management Communiqué, which determines the procedures and principals
applicable to the management of the information systems, the formation and
management of the information systems in a secure, efficient, sustainable
manner, and to determine the procedures and principles applicable thereto, are
ensured. The scope of the obligations under the Management Communiqué includes
the institutions established as per, or subject to, the Capital Markets Law.
The discussions regarding the obligation to keep the primary system and the
secondary system within the Republic of Turkey has been clarified by the CMB
for the time being, which we still believe should be further clarified, and in
detail. The respective Communiqué regulates the policies for the establishment
of the information systems, operation, management and usage thereof, as well as
all types of information security related policies, the responsible parties for
the duties, and other details.
(First published on the website of Erdem&Erdem Law Office in March 2018:
http://www.erdem-erdem.av.tr/publications/newsletter/management-of-information-systems/)