Turkey’s Capital Markets Board has announced rules for managing and auditing information systems. Among other entities, the new regime applies to publicly held companies, pension funds, as well as custodians. The rules address security and audit requirements, as well as outline management liabilities and introduce an obligation to develop an information policy, which is approved by the board of directors.

The following entities must now obey the s principles introduced under the Communiqué on Information Systems Management while managing information systems:

  • Publicly held companies.
  • Pension mutual funds.
  • Custodians.
  • Capital market institutions.
  • BORSA İstanbul A.Ş.
  • Stock market, market operators and other markets.
  • Istanbul Takas ve Saklama Bankası A.Ş.
  • Central Registry Agency.
  • Capital Markets Licensing Agency.
  • Turkey Capital Markets Association.
  • Turkey Valuation Experts Association.

According to the Communiqué, these entities must now:

  • Ensure effective and sustainable information systems exist, aligned with business objectives.
  • Provide security for information systems.
  • Perform a risk analysis at least once per year, as well as undertake a penetration test.
  • Provide security for clients’ information obtained or preserved through information systems.
  • Control performance and plan capacity within the sustainability plan’s scope and within this scope, establishment of secondary systems and keep the first and secondary system in Turkey.

The noted entities must have an information policy, approved by the board of directors. Senior management will be responsible for implementing information security policies, as well as:

  • Assessing critical projects regarding the applicability of new information systems and resource allocation.
  • Annually analyzing and approving information security policies.
  • Annually assessing information security infringements.
  • Identifying risks to information systems and performing risk management activities to reduce risk.
  • Establishing a surveillance mechanism for outsourced aspects.

Information systems must be regularly reviewed by an independent auditor. The frequency depends on the institution type:

Institutions which are subject to the Communiqué on Independent Audit of Information Systems but not listed in the table above are not subject to periodic independent auditing requirements.

Please see these links for the full text of the relevant Communiqués, published in Official Gazette number 30292 on 5 January 2018 and entering into force on the same date (only available in Turkish):

– Communiqué on Information Systems Management number VII-128.9

– Communiqué on Independent Audit of Information Systems number III-62.2

Information first published in the MA | Gazette, a fortnightly legal update newsletter produced by Moroğlu Arseven.