Information technology continues to significantly impact the development and growth of the capital market in Nigeria and the world over. The Securities and Exchange Commission ("SEC"), in an effort to ensure the integrity of information systems employed by capital market operators in digitizing their processes, in May 2022, issued the exposure draft on the Guidelines on Minimum Operating Standards for Information Technology for Capital Market Operators in Nigeria. ("Proposed Guidelines"). The purpose of the Proposed Guidelines is to establish a standard of operational efficiency in the Nigerian Capital market for operators using Information Technology to provide services, and ensuring security, confidentiality, integrity and reliability. The Proposed Guidelines provide the minimum requirements for computing environment, Information Technology/Information System Management, Websites and Emails, Brokers, Custodians and Trustees, Registrars, and Clearing Houses.
This newsletter will analyze in summary some of the salient provisions of the Proposed Guidelines.
Applicability of the Proposed Guidelines
The Guidelines apply generally to and are binding on all categories of CMOs, except where it refers specifically to a particular category. Generally, SEC rules identify a CMO as one (either an individual or a company) who operates in the Nigerian capital market, either as an expert, a professional or in any other capacity whatsoever as may be determined by SEC, or carries on investment and securities business.
What are the Minimum Requirements for a Computing Environment?
The Proposed Guidelines requires that all CMOs shall:
- maintain any/a combination of client-servers, cloud, distributed or time-sharing environments which suit their operations and business objectives.
- own and manage a private data center, or employ the services of a cloud service provider ("CSP") for computing, storage and networking requirements. Where the CMO employs the services of a CSP, it shall conduct proper due diligence and ensure that the data security, governance and business policies of both parties align. The CMO must also be aware and always informed of the data privacy rules and regulations governing personal data in the jurisdiction where the CSP stores personal data.
These requirements are applicable to all electronic workstations, data storage devices, software applications and networks interfacing to support the processing and exchange of information for the business.
What are the Minimum Requirements for Information Technology/Information Systems ("IT/IS") Management and Governance?
The Proposed Guidelines describes IT/IS as the interaction between humans and technology which is relied upon by an organization for the collection, storage, processing and transmission of information and digital products. For the effective management and governance of IT/IS, the CMOs are required to observe the following:
- maintain an IT policy which is duly approved by the Board, and which shall be reviewed every 5 years.
- establish an IT steering committee established by the Board and chaired by the Executive Director to provide IT/IS governance for the organization. The committee shall hold meetings at least once a month.
- operate a cybersecurity policy which shall conform to international best practices and effective to ensure safety, confidentiality and reliability of the network, data, information systems and their underlying technologies.
- establish internal audit and risk management functions.
These requirements are applicable to all CMOS except Capital Market Consultants/Experts, sole proprietorships, and business names.
What are the Minimum Requirements for Websites and Electronic Mails?
SEC requires that a CMO shall;
- Have a functional website which contains relevant and up-to-date information.
- Ensure that content management of its websites is performed internally and not outsourced to third parties.
- own and register its own domain name
- Ensure that access to databases and backend systems is only possible from front-end web applications and not through the internet directly.
Capital Market Consultants/Experts, sole proprietorships and business names are also exempt from meeting these requirements.
In addition to above, Brokers, Registrars, Central Securities Depositories and Clearing Houses, Custodians and Trustees are also required to have websites and web applications that allow their clients/investors to securely create and manage their accounts/profiles online, make enquiries and receive customer support.
Considering the ever-increasing need and reliance on information technology by Capital market operations, and the evolving nature of technological trends, the Proposed Guidelines is of utmost importance in establishing and ensuring that the vast benefits of the use of technology open to the market operators are fully harnessed without fear of cybercrimes and other security risks associated with the use of technology.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.