AFM makes recommendations for IT security of capital markets

News18/04/24

AFM makes recommendations for IT security of capital markets

Capital market firms should pay due attention to the design and structure of their IT risk register, service level management in respect of intra-group outsourcing and the inclusion of cyber-attack scenarios when testing their business continuity plans. The AFM makes these recommendations on the basis of an in-depth study of the maturity of IT security measures, arising from the 2022 self-assessment survey of capital market firms.

The in-depth study was conducted among selected firms on a subset of the security measures. Although the in-depth study did not identify any significant shortcomings in relation to the selected measures, certain areas of concern have nonetheless emerged. The three main recommendations for enhancing IT security measures are:

• Establish a comprehensive IT risk register
An IT risk register contains an overview of all risk assessments that have been carried out, including inherent risks and residual risks, and the related action plans. The structure and depth of the risk registers that were surveyed differ. This makes it difficult to determine whether all the risks are adequately mitigated and residual risks align with a firm's risk tolerance.

• Include cyber-attack scenarios in business continuity tests
Cyber-attack scenario testing is an important approach to ensure that a firm can recover from cyber attacks, such as a ransomware attack. These scenarios are not always part of business continuity tests.

• Establish adequate service level management in respect of intra-group outsourcing
Several selected firms are part of an international group and outsource significant parts of their IT services within that group. Service level management should also be adequately in place for the monitoring of intra-group services. Service level management in respect of intra-group outsourcing was in some cases less formalised than external outsourcing arrangements.

Preparations for DORA

In line with the recommendations, the financial sector needs to make preparations in the coming period for the implementation of the requirements of the Digital Operational Resilience Act (DORA). DORA is a European regulation that aims to ensure that financial organisations improve the controls of their IT risks and thus become more resilient against cyber threats. DORA will apply as of 17 January 2025.

Tags

Counterparties trading OTC-derivates (EMIR)DigitalisationInformation for AIFM and collective investment schemesIssuers of securitiesTrading and settlement platforms

More information

Exploratory study Information Security of Capital Markets (pdf, 245kB)