The Netherlands Authority for the Financial Markets (Autoriteit Financiële Markten, the AFM) has invited market parties to respond to its consultation on the ‘Principles for Information Security’. This policy statement (beleidsuiting) describes the expectations of the AFM with regard to information security as part of the controlled and sound operations of financial institutions and accounting firms.

The AFM indicates that it expects financial institutions and accounting firms to put sufficient safeguards in place when it comes to the confidentiality and integrity of information and the availability of information, data and systems. For this purpose, the AFM has formulated 12 principles covering various aspects of information security (e.g. data, people and culture, physical security, technology, response and recovery, outsourcing). These principles are not new, as they are based on various statutory obligations which are already subject to supervision by the AFM. The AFM emphasises that the principles do not describe how statutory obligations are met; they instead describe the AFM’s expectations.

The AFM invites market parties to answer the following three questions as part of its consultation:

  1. Which points in the policy statement Principles for Information Security do you agree with?
  2. Which points in the policy statement do not make sense to you? Do you foresee any problems? If so, why?
  3. What are your proposals for improvements?

Responses need to be submitted to the AFM (via by 25 June 2019.

View the policy statement, 15 May 2019.

View the response form, 15 May 2019.