The Dutch Authority for the Financial Markets (AFM) publishes the Principles for Information Security. With this policy statement, the AFM outlines its expectations regarding the behaviour of financial firms and audit firms in the field of information security. The principles were submitted for consultation earlier this year and have now become definitive.
The management of information security risks is becoming increasingly important as a result of the increasing digitalisation of society. The AFM expects firms to take appropriate measures to guarantee the continuity and reliability of their IT and provision of information, and to limit the impact of any security incidents. The principles provide guidance in this respect.
The principles are not new rules, they consist of starting points with regard to issues that involve various statutory norms subject to supervision by the AFM. In this way, the AFM increases the predictability of its supervision. Firms decide for themselves how they implement these principles.
Reactions on the consultation
The AFM received comments and recommendations from 26 organisations during the consultation process. These reactions have enabled the AFM to clarify the principles. The AFM thanks them for their input.
In addition, several organisations have asked for more clarity regarding the legal framework, proportionality and (inter)national convergence. In the feedback statement, the AFM gives a short description of the question(s) received for each subject, after which the AFM answers the question(s) and explains why she has made a certain choice.
The AFM is committed to promoting fair and transparent financial markets.
As an independent market conduct authority, we contribute to a sustainable financial system and prosperity in the Netherlands.