INTRODUCTION
The Nigerian Securities and Exchange Commission (“SEC”) released the Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators (CMOs) pursuant to section 13(g) of the Investment and Securities Act 2007 to register and regulate corporate and individual capital market operators as defined in the Act.
Given the rising reliance of financial services and related business activities on technology, the SEC felt the necessity to enact rules that set basic operational requirements for all capital market operators’ use of information technology. This would allow operators to reap the significant operational gains that come with technology adoption while also managing the cybersecurity threats and other hazards that come with it. It would also improve the Commission’s efficacy and efficiency in monitoring and regulating all CMOs on the market.[1]
The guideline which applies to all categories of CMOs except in areas where some categories are exempted has a goal, which is to set a benchmark for operational efficiency in the Nigerian capital market by maintaining the security, confidentiality, integrity, and dependability of information systems and implementing effective information technology in corporate operations.[2]
Against the backdrop of the foregoing, this article expatiates the information technology operating standards for capital market operators in Nigeria.
CONCEPTUAL CLARIFICATION
It is pertinent to understand the meaning of certain concepts discussed in this article viz- Capital Market and Capital Market Operators.
Capital Market: The capital market is a marketplace for the purchase and sale of medium to long-term securities (i.e., ordinary shares, preference shares, bonds, and debentures). The capital market also allows for indirect investments in securities through Collective Investment Scheme products (CIS).[3]
The Securities and Exchange Commission (SEC) is the primary regulator of the Capital Market. Other authorities include the Nigerian Stock Exchange Commission, which oversees stock exchange listings, and the Central Bank of Nigeria (CBN).
Capital Market Operators (CMOs): By the definition of the Investments and Securities Act, CMOs refer to persons (individual or corporate), duly registered by the Commission to perform specific functions in the capital market.[4] In other words, CMOs are persons who facilitate the processes in Capital Market transactions. Issuing houses/merchant bankers, underwriters, brokers/ dealers, sub-brokers, receiving bankers, registrars, trustees investment advisers (corporate and individual), fund/ portfolio managers, rating agencies, market makers, and custodians are referred to as Capital Market operators in Nigeria.[5]
The law mandates that any company or individual seeking to offer any capital market-related services must be licensed or registered with the Securities and Exchange Commission. Section 38 (1) of the Investment and Securities Act 2007, elucidates this point. It provides to the effect that: “No persons shall operate in the Nigerian capital market as an expert or professional or in any other capacity as may be determined by the Commission; or carry-on investments and securities business unless the person is registered per this Act and the rules and regulations made thereunder.”
The Commission also prescribes the conditions for registration including the level of knowledge and skill required to operate in the capital market.[6]
INFORMATION TECHNOLOGY REQUIREMENTS FOR CAPITAL MARKET OPERATORS
One of the most effective levers in the capital market for addressing current industry difficulties and delivering future opportunities is technology.[7] Therefore, in addition to the Securities and Exchange Commission’s requirement for every CMO in Nigeria to be licensed or registered, such entities are also expected to meet certain IT requirements, although some requirements are specific to some categories of CMOs. The information technology operating standards for capital market operators are discussed below:
- Computing Environment Requirements
The computer environment must be one or more of the following: client-server cloud, distributed, or time-sharing. The computing environment must be well-suited to the Capital Market Operator’s activities and business objectives. Hardware systems and all other IT equipment in the environment must be kept in physical premises with sufficient security, access control, power, and cooling to assure service availability and continuity.[8]
It should be noted that a computing environment is a group of electronic workstations, data storage devices, computer equipment, software programs, and networks that operate together to facilitate the processing and sharing of electronic data for business purposes.[9]
- Requirements for Private Data Center, Colocation, and Public Cloud Service
It is required that for the processing, storage, and networking needs, Capital Market Operators must either build and run a private data center, rent rack spaces in a colocation data center facility, or use the services of a public cloud service provider (CSP). They can do that by utilizing Private Data Centers, utilizing Colocation services, subscribing to Cloud Services, or employing a hybrid of any of the aforementioned.[10]
For CMOs that utilize Private Data Centers, the requirements are as follows:
- The physical space is to be adequate to house all the servers, storage devices, networking devices, and computer machines in well-arranged racks with room for scalability.
- There is to be a biometric access control system in place for authorized entry into the data center
- There must be round-the-clock monitored video surveillance of the data center using CCTV devices which will provide a good view of the entry point and all critical devices in the data center.
- The data center is to be set up to the standard of a Tier-3 rated facility in terms of expected uptime, fault tolerance and redundancy, and multiple paths for power and cooling.
- There must be adequate personnel and infrastructure in place to ensure physical security.
- There must be a well-trained and qualified data center administrator to manage the facility.[11]
For CMOs that utilize Colocation services, it is required that the minimum requirements are in place for a colocation data center facility to be used by CMOs. These requirements are as follows:[12]
- The colocation data center must be up to the standard of a Tier-3 rated facility in terms of expected uptime, fault tolerance and redundancy, and multiple paths for power and cooling.
- The location must be reasonably close geographically to the CMO’s headquarters and shall provide ease of access for IT personnel who would need to visit for regular or emergency maintenance.
- They must have a verifiable track record of reliability in terms of adequacy of power and cooling, data backup, low-latency networking, adequate bandwidth, and physical security.
- There must be a well-executed service level agreement that reflects fair pricing for the service received and clearly stated rights and obligations of both parties.
- They must demonstrate compliance with the rules of the National Information Technology Development Agency (NITDA) and any other relevant government agencies.
It is equally important to state that adequate due diligence must be carried out before subscribing to the service of a colocation data center facility.[13]
For CMOs that subscribe to Cloud Services, the minimum requirements to be in place for a CSP(cloud service provider) to be used by CMOs as follows:[14]
- The CSP must demonstrate adherence to industry best practices and compliance with the rules of NITDA and any other relevant government agencies.
- The CSP must possess certifications like the ISO 27000 series for information security or comparable international information security standards and comply with other applicable and recognized international standards and frameworks.
- The CSP’s data security, data governance, and business policies must be well understood and must align with the CMO’s data security policies and business processes. The CMO must be aware of the regulatory and data privacy rules governing personal data in the jurisdiction of data residency being used by the CSP and the CMO shall ensure this aligns with its business processes and objectives.
- There must be a well-executed service level agreement that reflects fair pricing for the service received and clearly stated rights and obligations of both parties. This shall meet up to the applicable ISO standards for Service level agreements (SLA) ISO/IEC 19086-1:2016 or comparable international SLA standards.
It is fundamental to note that for the management of the hardware and software of various computer systems that CMOs may use to support their operations, there are set minimum requirements[15] as well as requirements for Servers, User Systems, Workstations, and Storage/Backup Systems.[16]
- Information Technology/Information Systems Management and Governance Requirements
The interrelatedness of social and technical systems for the collection, storage, processing, and transmission of information and other digital products is referred to as Information Systems, while IT systems refer to the hardware, software, and networks that enable Information Systems to function.[17] The minimum IT/IS management and governance requirements are as follows:
- IT Policy: The requirement is that there must be an IT policy duly approved by the Board which can be reviewed not more than every five years. The IT policy is to set out the organization’s policy for the management and governance of IT and Information Systems. The policy scope is to comprehensively reflect and comply with the minimum guidelines set and must cover every other area as are relevant to ensuring information security and the efficiency of technology-dependent business processes. There must also be in place, an IT steering committee constituted by the board and chaired by an Executive Director to provide IT/IS governance for the organization which must meet regularly; at least monthly.[18]
- IT/IS Audit and Risk Management: The requirement is that there must be an internal IT/IS audit function in place and the audit approach must be risk-based. There must also be an IT/IS risk management function in place with a stand-alone function or part of an enterprise-wide risk management function.[19]
- Information Security and Cybersecurity: The requirement is that there must be an Information Security and Cybersecurity policy in place which must form part of the enterprise IT policy of the organization. The Information Security and Cybersecurity policy is required to conform to up-to-date international best practices and must be appropriate and adequate to ensure the safety, confidentiality, and reliability of the networks, data, information systems, and their underlying technologies. Firewalls, intrusion detection technologies, data encryption, and other relevant technologies and systems must be employed to provide adequate network security against cybersecurity threats. All user systems (Computers and hand-held devices) hosted on the network must be secured with up-to-date antivirus and antimalware protection. It is required that a policy should be in place to guide acceptable access and use of information systems remotely to ensure adequate security, confidentiality, reliability, and integrity of data, network resources, and information systems. Physical access to network infrastructure, workstations, and critical systems must be restricted to only authorized persons. Also, there must be regular and updated security awareness for all staff in the organization, communicated via email and other media. For Exchanges, Fund Managers, Registrars, and Clearing Houses, regular penetration tests must be conducted at least annually to detect vulnerabilities and check the resilience of the network and systems to threats and malicious activities.[20]
- IT/IS Staff: As a requirement, IT/IS functions must be staffed by skilled and competent individuals who have verified certification, relevant education, or relevant experience. These employees must be sufficiently taught to keep up with the fast-paced changes and evolutions that characterize the technology industry.[21]
It should be noted that not all categories of CMOs are subject to the minimum IT/IS management and governance requirements. Capital Market Consultants/Experts, Sole Proprietorships or Business Names are exempted from the application.
- Web Sites and Electronic Mails Requirements
Web Sites: By the provisions of the guidelines, all CMOs are mandated to have a functional website that contains correct, up-to-date, and relevant information. Websites are not to display errors or system messages revealing information about the underlying configuration of web applications. Websites must use the HTTPS (not merely HTTP) network protocol and other measures to ensure secured interoperability. Also, adequate security measures must be put in place to ensure protection against availability attacks (especially denial of service attacks), integrity attacks, and confidentiality attacks.[22]
In addition to the requirements mentioned above, CMOs other than Capital Market Consultants/Experts, Sole Proprietorships, or Business Names, are mandated to conduct regular audits and vulnerability tests to identify and fix vulnerabilities in the underlying operating systems, databases, webservers, and third-party software/applications. Also, websites that allow file upload must verify file types and scan for malicious code. The content management of websites must be entirely domiciled in the CMO and not a third party. The development, hosting, and maintenance of websites can involve third parties, in which case all the applicable requirements stated in the guidelines to ensure availability, confidentiality, and integrity of the website must be included as mandatory elements of the terms of the contract and Service Level Agreement.[23]
Electronic Mails; As a requirement, all CMOs are required to have a functional electronic mailing system either hosted privately or using a cloud service provider. The domain names are to be owned and registered by the CMO. Also, the use of the services of free email providers and private emails like Yahoomail, Gmail, Hotmail, etc. is prohibited for official communications. In setting up the email service, appropriate encryption protocols must be applied to achieve a minimum of transport-level encryption for securing email content. There must be an email system security management plan in place to ensure mail server and content security, security of the operating systems, security of mail gateways, and mail client security. Furthermore, Email users are to be trained on how to prevent email client-side attacks like spoofing and phishing.[24]
Equally important if not fundamental is that, to ensure that CMOs can continue operations at an acceptable level in the event of unforeseen IT service disruptions, CMOs other than Capital Market Consultants/Experts, Sole Proprietorships, or Business Names are to have a documented Business Continuity Plan and a Disaster Recovery plan.[25]
CMO Categories and their additional Technology Requirements
There are certain categories of CMOs like Exchange, Fund/Asset Managers, Broker, Registrars, Central Securities Depositories, and Clearing Houses that are required to meet additional IT requirements. These additional requirements are highlighted below:
Exchanges: Exchanges are required to have secure trading platforms with robust features that include real-time quotes, charting tools, news feeds, trade monitoring, and premium research. They are also required to have a surveillance system that provides real-time monitoring of all trading activities.[26]
Fund/Asset Managers: To improve accessibility to the market for retail investors and to drive market penetration and inclusion, Fund/Asset Managers are required to have websites and web applications that allow investors to securely create and manage investment accounts online, make enquiries using chat-bots or other interactive programs from web browsers. They are also required to have mobile applications that provide free access to the full stack of their service offering and allow retail investors to securely create and manage investment accounts online, make enquiries, and receive in-app customer support.[27]
Brokers: Brokers are required to have websites and web applications that allow investors to securely create and manage their equity accounts online, make enquiries and receive customer support using chatbots or other interactive programs from web browsers.[28]
Registrars, Central Securities Depositories, and Clearing Houses: Central Securities Depositories and Clearing Houses are to have databases integrated with Application Programming Interfaces (APIs) that Registrars and Brokers can feed on as approved by the SEC. Registrars, Central Securities Depositories, and Clearing Houses are also required to have websites and web applications that allow investors to securely create and manage their profiles online, make enquiries and receive customer support using chatbots or other interactive programs from web browsers.[29]
CONCLUSION
It is believed that compliance with the provisions of the guideline when approved would serve to prompt all CMOs and indeed the entire capital market on the path of operational and regulatory efficiency and effectiveness as well as adequately managing the associated risks of using technology.[30] It is silhouetted against the foregoing that CMOs ensure to meet the requirements as provided by the provisions.
FOOTNOTES:
[1] Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[2] Ibid
[3] https://sec.gov.ng/ – ‘Opportunities in the Nigerian Capital Market by the Securities and Exchange Commission, Abuja’, a Paper Presented to the National Youth Corps Members at the Orientation Camp accessed on 2nd May 2022
[4] Section 315 of the Investment and Securities Act 2007
[5] Rule 45 of the Securities and Exchange Commission Rules and Regulations, 2013
[6] Section 38 (2) of the Investment and Securities Act 2007
[7]https://www.pwc.co.uk/financial-services/assets/technology-innovation-capital-markets-afme-pwc-fin-report.pdf accessed on the 24th of May 2022
[8] Guideline 1.1 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[9] Guideline 1 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[10] Guideline 1.2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[11] Ibid
[12] ibid
[13] Ibid
[14] Ibid
[15] Guideline 1.3 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[16] Ibid
[17] Guideline 2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[18] Guideline 2.1 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[19] Guideline 2.2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[20] Guideline 2.3 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[21]Guideline 2.4 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[22]Guideline 3.1 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[23] ibid
[24] Guideline 3.2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[25] Guidelines 4.1 & 4.2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[26] Guideline 5.1 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[27] Guideline 5.2 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[28] Guideline 5.3 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[29] Guideline 5.4 of Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
[30] Proposed Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators
0 Comments