On 29 December 2022, the Dutch Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) published a report titled ‘Capital Markets Information Security Monitor’ (the Report).

According to the AFM, business processes of capital market institutions (e.g. trading venues, proprietary traders, and clearing & settlement institutions) are heavily and increasingly dependent on complex IT environments. This dependence makes these institutions vulnerable to internal and external cyber risks, which can affect the availability, integrity and confidentiality of information and systems. Capital market institutions are required by national and European legislation to take information security measures to safeguard the continuity and reliability of their IT and information systems and to prevent or limit the consequences of possible IT incidents and cyberattacks. The AFM notes that information security and related cyber risks form part of the most important operational risks faced by capital market institutions. The AFM has observed that not only the number of cyberattacks is increasing, but that the disruptive impact of attacks is also growing.

Taking into account the above, the AFM has conducted market-wide and individual investigations at capital market institutions and has been cooperating with the financial sector to further strengthen the resilience of capital market institutions. The Report contains the most recent observations on IT and cyber risks, based on a self-assessment survey completed by 14 capital market institutions. The survey confirmed that capital market institutions face high inherent information security and cyber risks, with 80% of participants indicating that their inherent IT risks are high. In anticipation of the new European Digital Operational Resilience Act (DORA), the AFM makes 7 recommendations for the sector in the Report, including having and maintaining a cyber-incident plan. These recommendations are related to the following 7 observations listed in the Report:

  • Observation 1: IT is crucial to business operations and is a key driver of innovating business practices.
  • Observation 2: Agile, DevOps and a hybrid approach to software development are the most popular.
  • Observation 3: Management of IT outsourcing and supply chain risks is critical. IT availability and continuity risks remain widespread in capital market institutions.
  • Observation 4: Security Operations Centres (SOCs) or similar security teams are an important tool in dealing with increasing cyber threats.
  • Observation 5: The IT architecture of capital market institutions is complex.
  • Observation 6: Patch management and implementing critical security patches is fundamental.
  • Observation 7: Clearly defined Recovery Time Objectives should be set for critical business processes.

Besides these observations, the Report also contains a brief section setting out some of the cyber threats faced by capital market institutions (e.g. social engineering, ransomware, supply chain treats, etc.).

The AFM also notes in the Report that DORA will broaden the AFM’s mandate for supervision on business operations and IT. The AFM will spend the next two years preparing for DORA supervision by strengthening its information position regarding the information security and operational risk management of financial institutions subject to its supervision, developing new supervisory methodologies, and actively reaching out to institutions to exchange information on cyber threats, risks and best practices.