Management of Information Systems
As stated under Article 128 of Capital Markets Law No. 6362 (“Capital Markets Law”), one of the duties of the Capital Markets Board (“CMB”), among others, is to determine the procedures and principles for the supervision and operation of the management of the information systems of capital markets institutions, publicly held companies, stock exchanges and self-regulatory establishments. To this end, based on the provisions of the Capital Markets Law, Communiqué on the Management of the Information Systems (VII-128.9) (“Management Communiqué”), together with the Communiqué on the Independent Auditing of Information Systems (III-62.2) (“Auditing Communiqué,” Management Communiqué, and the Auditing Communiqué, shall collectively be referred to as the “Communiqués”) have been published in the Official Gazette dated 5 January 2018 and numbered 30292. Both the Management Communiqué and the Auditing Communiqué have entered into force with their publication in the Official Gazette. While the procedures and principals applicable to the management of the information systems for the listed establishments therein are determined under the Management Communiqué, independent auditing of information systems is further regulated under the Auditing Communiqué. This article will mainly focus on the scope of the Management Communiqué, innovations introduced thereunder, especially the obligation to keep the systems in the Republic of Turkey and, finally, the sanctions.
The Scope of the Management Communiqué
Both of the Communiqués are applicable to Borsa Istanbul A.S., other market places organized with the stock exchanges and market operators, pension mutual funds, Istanbul Takas ve Saklama Bankasi A.S., Merkezi Kayit Kurulusu A.S., portfolio depository establishments, Sermaye Piyasasi Lisanslama Sicil ve Egitim Kurulusu A.S., capital markets organizations, publicly held companies, Capital Markets Union of the Republic of Turkey, and the Appraisers Association of the Republic of Turkey. Banks and insurance companies, financial leasing, factoring and financing companies, from amongst the aforementioned institutions, establishments and associations would comply with the requirements of their specific legislation in respect of the management of the information systems. Compliance with such specific legislations would be regarded as satisfaction of the requirements of the Communiqués.
Information Systems: Primary and Secondary Systems
The Management Communiqué defines the primary system as “the complete system comprising of the infrastructure, hardware, software and data, ensuring to save and use the information required for the institutions, establishments and associations to perform their obligations stated under the legislation, if and when required, and enabling the access to such information in a secure manner.” It is set forth in the Management Communiqué that the secondary system means “the primary system backups, which enable uninterrupted access to all information in the event of any interruption to the activities carried out by the primary systems, and if and when required for institutions, establishments and associations to perform their obligations stated under the legislation with an aim to keep the activities in a sustainable manner within the interrupted periods.”
In light of the above, the legislator defines the information systems in a broad manner so as to include all information systems used for the performance of the activities within the scope of the Capital Markets Law, or as required by the CMB.
It is stated under Article 26 (Sustainability of the Information Systems) of the Management Communiqué that the institutions, establishments and associations are obliged to keep the primary and secondary systems within the Republic of Turkey. As in practice, so many publicly held companies are currently keeping their iCloud systems abroad; such a newly introduced provision created discussions as to whether those companies will be required to transfer their systems into the Republic of Turkey. However, the CMB announced a public disclosure in the CMB Bulletin dated 8 March 2018 and numbered 2018/10 in order to clarify such discussions. The CMB stated that the information systems of the publicly held companies, which are not subject to independent audit, are not required to keep their primary systems within the Republic of Turkey. The CMB further stipulates that the scope of the publicly held companies, which are subject to independent audit, is planned to be gradually extended. For those companies that will be subject to independent audit, they will be obliged to keep the primary systems from the period, under which they are obliged, within the Republic of Turkey.
Management of the Information Systems
The Management Communiqué is entered into force in order to ensure the formation and management of the information systems in a secure, efficient, sustainable manner, and to determine the procedures and principles applicable thereto.
For this purpose, pursuant to the Management Communiqué, the policies for the establishment of the information systems, operation, management and usage thereof, as well as all sorts of information security related policies, such as confidentiality, integrity and, if and when needed, availability of the information, should be prepared by the top management and approved by the board of directors. Following its approval, the policies should be announced to the employees.
The top management is responsible for the monitoring of the application of the policies; however, the responsibility for organizing effective and sufficient controls is delegated by the board of directors. The Management Communiqué further sets forth that the top management is responsible to create a certain mechanism for review of the policies and all the responsibilities annually, determination of the risks and performing risk management, monitoring of those events that are incompliance with the information security and evaluation of those, providing education to the employees to be aware of the information security, etc.
The Management Communiqué stipulates that the institutions, establishments and associations that fall within the scope of the obligations shall appoint a well-equipped and qualified individual who is responsible for performing the requirements of the processes and principles in respect of the security of the information systems and monitoring of the same and, further, reporting to the top management the risks and the management of the risks. The respective Communiqué further requires institutions, establishments and associations to hire a nationally or internationally certified independent person to run a leakage test at least once a year.
The legislator states the minimum requirements to be fulfilled regarding the control of the information systems under the Management Communiqué, which are, briefly, (i) defining the process owner, roles, activities and liabilities, (ii) defining the controlling periods, periodically, and (iii) defining the aims and purposes of each of the controlling periods and measurable performances. The respective Communiqué further regulates, among others, that the asset (comprised from information) management, segregation of duties for the system, database and development of the implementations, security, ID authentication, authorization, audit trail mechanism, the principles for informing the customers and, finally, limited exceptions for certain institutions, establishments and associations in respect of certain obligations.
In the event of any non-compliance with the provisions of the Management Communiqué, Article 103 (General Principles) of the Capital Markets Law will apply. Accordingly, an administrative fine from TRY 27,047 up to TRY 338,088 will be assessed.
With the introduction of the Management Communiqué, which determines the procedures and principals applicable to the management of the information systems, the formation and management of the information systems in a secure, efficient, sustainable manner, and to determine the procedures and principles applicable thereto, are ensured. The scope of the obligations under the Management Communiqué includes the institutions established as per, or subject to, the Capital Markets Law. The discussions regarding the obligation to keep the primary system and the secondary system within the Republic of Turkey has been clarified by the CMB for the time being, which we still believe should be further clarified, and in detail. The respective Communiqué regulates the policies for the establishment of the information systems, operation, management and usage thereof, as well as all types of information security related policies, the responsible parties for the duties, and other details.
 Capital Market Law numbered 6362, OG, No. 28513, December 30, 2012.