TÜRKIYE Law and Practice Contributed by: Bora Yazıcıoğlu, Kübra İslamoğlu Bayer, Aslı Rabia Savaş and Yağmur Yaren Özdabakoğlu, YAZICIOGLU Legal
3. Financial Sector Operational Resilience Regulation 3.1 Scope of Financial Sector Operational Resilience Regulation There is no general legislation covering the Turkish financial sector’s operational resilience. Rather, relevant regulations of the BRSA, TRCB and CMB set the rules on the management of information systems for banks, payment and electronic money institutions, and capital market institutions respectively. • The information systems of banks are regu - lated by By-Law ISBEBS. It applies to deposit banks, participation banks, development and investment banks established in Türkiye and the Turkish branches of such foreign banks. • The information systems of payment institu - tions and electronic money institutions are regulated by the Communiqué on Data-Shar - ing Services in the Payment Services Area of Payment and Electronic Money Institutions’ Information Systems and Payment Service Providers (the “Communiqué on Payment Services” ). The Communiqué covers payment institutions and electronic money institu - tions, which consist of an exhaustive list of institutions that are authorised by the TRCB in accordance with the Law on Payment and Securities Settlement Systems, Payment Ser - vices, and Electronic Money Institutions. • The CMB has a Communiqué on Information Systems Management (The “CMB Commu- niqué” ). This Communiqué concerns stock exchanges and market operators and other organised marketplaces, publicly held cor - porations, and capital market institutions (eg, investment firms, collective investment schemes, portfolio management companies, and cryptocurrency service providers), among others. This Communiqué was superseded
the likelihood or lack thereof to result in a risk to the rights and freedoms of natural persons). Sectoral Notification Duties • In the e-communications sector, the By- Law on NIS in the E-Communication Sector requires the operator to notify ICTA regarding network and information security breaches that affect more than 5% of its subscrib - ers and the circumstances that interrupt the continuity of the business. The notification must include, as a minimum, the time, nature, impact and duration of the breach, as well as the measures taken. • In the banking sector, the By-Law on Informa - tion Systems of Banks and Electronic Bank - ing Services (the “By-Law ISBEBS” ) requires banks to report cyber-events to the BRSA. • A cyber-attack affecting a public company must be disclosed to the public as per the Communiqué on Material Events Disclosure. • In the healthcare sector, as per the Direc - tive on the Information Security Policies of the Ministry of Health, all information secu - rity breach incidents related to the Ministry of Health must be submitted to the central
breach notification system thereof. 2.4 State Responsibilities and Obligations
For the allocation of duties and the details there - of, see 1.3 Cybersecurity Regulators . See also 2.1 Scope of Critical Infrastructure Cyberse- curity Regulation and 2.2 Critical Infrastructure Cybersecurity Requirements for obligations provided for public institutions under the ICS Guide.
307 CHAMBERS.COM
Powered by FlippingBook