The circular, governing the institutional entities which the Department of Capital Market, Insurance and Savings oversees, specifies that information risk management is an essential element in managing information technology due to its centrality of data systems to the institutions’ business processes and the increasing risks, such as cyber risks, that these institutions are exposed to. The circular aims to ensure the protection of rights of the institutions’ consumers and policyholders by safeguarding confidentiality, integrity and availability of information assets, data systems and business processes of the institutional entities. The circular imposes obligations on the institutions’ board of directors and management to oversee ongoing information security activities and cyber risks, to guide and monitor the implementation of data security and to continued involvement of information security officers in overall activities of the institutional entities.
The draft circular also sets the principles for managing information security risks in institutions as well as the obligations of such entities to manage the wide range of cyber and information security risks based on principles of data protection.
Among the key points in the draft circular are:
- The obligations of the institution’s board of directors to approve an information security policy at least once a year and to appoint a steering committee for this issue.
- The duty of the institution’s executives to ensure the proper management of data security, according to the objectives, policies and purposes of the institution, including the establishment of procedures and approval of annual work plans in the field of data security.
- The institution’s obligation to set a data security policy in order to establish guidelines for the institutions’ management to implement and control data security, as well as duty to establish policies that define the data security processes and a work plan addressing the nature of the data, procedures, infrastructure and systems in the institution, including at a minimum, a program for managing cyber risks and information security risks.
- Implementing the provisions relating to information and cyber security while using outsourcing services (including cloud services). This includes data security requirements within outsourcing agreements.
- Data security within the communication channels between the institutions’ customers and third parties.
According to the draft circular, it enters into effect on April 1, 2016, and will supersede the 2006-9-9-6 circular on “Directive for Information Security Risk Management at Institutional Entities”.