4.5.1. Ict security

Statutory and regulatory framework

Brokerage Supervision Act: Article 17 §1(7)
NBB circulars:
- Circular NBB_2021_21 of 26 October 2021 on the EBA Guidelines on major incident reporting;
- Circular NBB_2020_23 of 16 June 2020 on the EBA Guidelines on ICT and security risk management
- Circular NBB_2019_09 of 8 May 2019 on reporting under the EBA Guidelines on security measures for operational and security risks under PSD2
- Circular NBB_2019_19 of 19 July 2019 on outsourcing ;
- Circular NBB_2015_32 of 18 December 2015 on the NBB’s additional prudential expectations regarding operational business continuity and security of systemically important financial institutions ;
- Communication NBB_2011_05 of 27 October 2011 on the NBB’s prudential expectations on sound management of operational risk ;
- Circular NBB_2009_17 of 7 April 2009 on prudential requirements for the online provision of financial services;
- Circular PPB 2005/2 of 10 March 2005 on sound management practices aimed at ensuring the continuity of financial institutions
International reference documents: //

4:175 Article 17 §1(7) of the Brokerage Supervision Act stipulates that IT control and security mechanisms should be put in place which are appropriate to the firm’s activities and sufficiently robust to guarantee the security and authentication of the means of transferring information, minimise the risk of data corruption and unauthorised access, and prevent information leaks in order to maintain data confidentiality at all times.

4:176 For example, the statutory governing body should ensure that the firm’s governance system, in particular the risk management and internal control system, adequately manages risks related to information and communication technology (ICT) and information security.

4:177 Firms should, as part of their governance system and in accordance with the principle of proportionality, establish an information security function whose tasks include: (i) providing guidance on the firm’s information security vision and strategy, taking into account all relevant information; (ii) ensuring that the information security objectives and measures defined in this strategy are translated into a comprehensive information security policy framework; (iii) properly communicating this information security policy framework to all stakeholders, both internally and, as appropriate, externally; (iv) assessing, monitoring and ensuring compliance with the information security strategic framework and, as appropriate, adapting it; and (v) establishing security risk management and reporting processes that are integrated into the firm’s overall risk management framework.

4:178 It is recommended that the information security function be a senior position (N-1 level) within the firm who can report directly to the statutory governing body and senior management or, where applicable, the management committee. Responsibility for the information security function may be assigned to the chief information security officer (CISO).

4:179 For more information, please see the relevant NBB circulars (in particular Circular NBB_2019_19 which applies to all outsourcing, including cloud outsourcing, and Circular NBB_2009_17 on online services, etc.).