Turkey: New Communiqués On Management And Audit Of Information Systems And Their Effect To Information System Service Providers

Capital Markets Board ("CMB") recently published two new communiqués; Communiqué on Information Systems Management numbered VII-128.9 ("Communiqué on IS Management") and Communiqué on Independent Audit of Information Systems numbered III-62.2 ("Communiqué on IS Audit") which have entered into force on 5 January 2018.

These Communiqués introduced new obligations with regards to information systems for certain legal persons such as Istanbul Stock Exchange Inc.; Stock Markets, Stock Market Operators and other Regulated Markets; Pension Funds; Istanbul Settlement and Custody Bank Inc.; Central Securities Depository of Turkey; Custodians; Capital Markets Licensing, Registry and Training Agency; Capital Market Institutions; Publicly Held Joint Stock Companies; Turkish Capital Markets Association and Turkish Appraisers Association ("the Entities").

The Communiqué on IS Management defines the technical procedures for sustainability and secure operation of information systems in a very detailed way. For an overview, some of the principles can be highlighted as follows;

• The management of the information systems of the Entities has become a part of corporate governance practice. The Entities shall determine and update policies, processes and principles with regards to information security management and shall inform all relevant personnel accordingly.
• An "Information Security Policy" with regards to the establishment, management and use of information systems and confidentiality, integrity and availability of the information assets, shall be prepared by the executive management and approved by the Board of Directors (BoD) of the related Entity.
• Executive management of the Entity shall be responsible for the execution of Information Security Policy. The BoD shall be liable to ensure effective and sufficient controls over the information systems consistent with the Information Security Policy. An information security officer shall be appointed for evaluation and management of security risks; and such officer shall directly report to executive management of the Entity.
• With regards to data protection; specific measures shall be taken as precautions to protect secrecy of the data received, processed and stored in the course of information system operations. The Communiqué sets out various methods to be used for physical and environmental safety, network security, identity verification, limited access through authorized persons, data integrity, preserving the confidentiality of the data stored in information systems.
• Various other precautions are defined for protection of the client data acquired through information systems; and furthermore, Entities are required to perform penetration tests at least once a year.

In respect of IS service providers, Art. 18 The Communiqué on IS Management envisages a special monitoring mechanism. This monitoring mechanism shall be established by the executive management of the Entity to assess and manage the risks generated by outsourcing information system services to third party service providers. Minimum coverage required for the monitoring mechanism is set forth under the Communiqué. According to the relevant provisions, we can conclude that in cases where a customer of a company falls within the scope of "Entities", such customer may request the vendor company, as an IS service provider, to pursue its systems and prepare/amend its contracts in conformity with the Communiqué.

Moreover, it is stated in the Art. 18.3. of the said Communiqué that the access rights granted to the service providers for outsourced services shall be evaluated individually. As a consequence of this provision, in terms of consulting and support services provided for hosting/cloud products; Entities may apply certain access or security restrictions to their service providers.

Last but not least, according to Art. 26 of the Communiqué on IS Management, primary and secondary systems of the Entities are required to exist within the territory of Turkish Republic. Therefore, when procuring hosting and/or any other software services in cloud computing model, Entities will require working with service providers whose servers are located within the territory of Turkish Republic.

On the other hand, Communiqué on IS Audit sets forth the rules, policies and principles regarding the independent audit of the information systems of the Entities. Independent auditor companies shall audit and report to Entities whether the audited Entity is in line with the information system management principles in terms of its operations, equipment and software pursuant to Communiqué on IS Management. Periodic information system audits are regulated as obligatory for some of the Entities and the frequency of the audits to be conducted varies for each entity.

According to the Communiqué on IS Audit, the Entity, which is being audited, shall provide and/or make available the information system documentation and all related records, information and systems for independent audit process. Therefore, where a customer of an IS service provider falls within the "Entities" subject to compulsory independent audits, the information systems of such Entity should be structured in a way that avails the Entity to provide authorization to the auditor to access information needed to perform the audit under the Communiqué on IS Audit.

As a conclusion, after these new legal regulations, the Entities shall prefer to procure IS services from service providers whose systems are functioning consistent with the provisions of the Communiqués. Thus service providers are recommended to evaluate their systems from technical perspective to be compatible with the mentioned Communiques.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.