LogoRegulatory Alerts
2013-01-01

Decision No. 8005 of 2013 on Technology Infrastructure and Information Systems

The Egyptian Financial Supervisory Authority issued Decision No. 8005 of 2013 to establish mandatory minimum technology infrastructure and information systems standards for securities brokerage companies. The regulation repeals previous fragmented directives and mandates compliance with specific requirements for connectivity, server configurations, cybersecurity, disaster recovery, and system logging by December 31, 2013. It further imposes stringent online trading controls, including mandatory multi-factor authentication, electronic signature integration, session management rules, and real-time client transaction notifications to ensure market integrity and data security.

Financial Regulatory Authority Egypt logo

Egypt

Financial Regulatory Authority Egypt

Click to view thumbnail

Decision No. 8005 of 2013

Dated 2013/12/2

Chairman of the Egyptian Financial Supervisory Authority

Having reviewed Law No. 95 of 1992 issuing the Capital Market Law and its Executive Regulations; and Law No. 93 of 2000 issuing the Central Depository and Registration of Securities Law and its Executive Regulations, and Law No. 15 of 2004 issuing the Electronic Signature Law, and Law No. 10 of 2009 regulating supervision over non-banking financial markets and instruments, and Presidential Decree No. 192 of 2009 issuing the Basic Statute of the Egyptian Financial Supervisory Authority, and Board of Directors decisions Nos. 50, 49 of 2006 and 68 of 2012, and upon what the Authority's Board of Directors approved in its session held on 2013/11/25, at the request of the Chairman to issue a unified decision establishing the regulation of technology infrastructure and information systems requirements to be met by securities brokerage companies.

Decided

Article (1)

Articles 1, 2, and 3 of Article Three of the Authority's Board of Directors Decision No. 49 of 2006 and Appendices Nos. 3 and 4 of the same decision are repealed, Decision No. 50 of 2006 is repealed, the provisions concerning technology infrastructure in Appendix (1) of the Authority's Board of Directors Decision No. 68 of 2012 are repealed, and Appendix (2) of the same decision is repealed.

Article (2)

Securities brokerage companies shall comply with the technology infrastructure and information systems requirements in this decision as a minimum standard for their technology infrastructure.

Article (3)

Securities brokerage companies operating electronic trading systems shall document their systems in accordance with the provisions of this decision and its appendix by no later than 2013/12/31.

Article (4)

This decision and its appendices shall be published on the Authority's and the Exchange's websites, published in the Egyptian Gazette, and take effect from the day following its publication, repealing any provision contrary to its provisions and appendix.

Chairman of the Authority Saif Sami 2013/12/2

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Appendix to Decision No. 8005 of 2013 on Technology Infrastructure and Information Systems for Securities Brokerage Companies

Terms and Definitions Used

For the purpose of applying the provisions of the attached appendix, the following words and phrases shall have the meanings indicated alongside each of them as they appear in this appendix.

TermDefinition
AuthorityEgyptian Financial Supervisory Authority
ExchangeEgyptian Exchange
Clearing CompanyEgypt Clearing, Depository and Central Registry Company
CompanySecurities Brokerage Company
Financial Information eXchange ProtocolThe system used for exchanging financial messages across the capital market among various entities. <br> Financial Information eXchange (FIX)
Disaster Recovery SiteThe backup site of the securities brokerage company used to conduct its activities in the event the main site suffers a disaster. <br> Disaster Recovery Site (DR)
Main ServersComputing servers on which operating systems, applications, and software used by securities brokerage companies are installed.
Active-PassiveA configuration pattern for information infrastructure devices comprising at least two identical systems, where one operates as the primary Active system and the other as a passive backup system to take over in case the primary system becomes unavailable for any reason.
Active-ActiveA configuration pattern for information infrastructure devices comprising at least two identical systems, where both systems operate as a single unit to distribute the operational workload across multiple systems.
Kilobit per second (Kb/s)A measure of data transfer speed across networks and communication lines.
Megabit per second (Mb/s)A measure of data transfer speed across networks and communication lines, equal to 1000 Kb/s.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

FirewallA system that isolates two or more networks of the same or different types and allows information flow between networks through a set of access control lists, at least at the network level.
Logging ActivitiesContains saved records encompassing everything related to a specific activity conducted through any component of the IT infrastructure, logged with time and date (System Logs, Security Logs, and Application Logs).
Fault-TolerantThe system's ability to recover from potential errors that would otherwise prevent it from operating normally.
Hot-StandbyThe degree of system readiness to operate in the event it is subjected to conditions preventing normal operation.
ClusterMeans that a single system consists of several identical parts (e.g., identical servers) all operating as a single entity performing the required function.
Antivirus/AntimalwareThe software responsible for protecting computing devices from viruses and potentially harmful elements.
High Availability (HA)The degree of system readiness to operate without interruption in the event it is subjected to conditions preventing normal operation.
Cloud NetworkNetworks that do not require fixed communication lines between all points.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Part One

Technology Infrastructure and Information Systems Requirements for Securities Brokerage Companies

The provisions of this Part shall apply to all securities brokerage companies, as follows:

Clause (1): Communication Means

The Company shall provide the necessary infrastructure for automated connectivity with the Exchange and the Clearing Company in accordance with the technical specifications set by the Exchange and the Clearing Company, through a primary communication line and a backup line for each, which may operate in Active-Passive or Active-Active mode, with an effective connection capacity of no less than 1 Mb/s. Additionally, a communication line must be available between each brokerage company and its backup site with a capacity of no less than 512 Kb/s. Other communication technologies serving the same purpose, such as cloud networking via any service provider, may also be used.

Clause (2): Central Servers and Operating Systems

The Company shall be obligated to provide the necessary server hardware to operate the following services and servers:

  • Application Servers
  • Database Servers
  • Financial Information eXchange (FIX) Server

The hardware specifications must be suitable for operating these services, and the following must be observed:

  • Provision of modern and licensed operating systems on the servers.
  • Provision of licensed systems, applications, and software necessary to operate the various services.
  • Server hardware must be configured to achieve the required level of continuous non-stop operation (High Availability).

Clause (3): Information Protection and Security

The Company shall comply with the following:

  • Installation of a Firewall system to secure all communication networks within the Company and between the Company and other entities, which may be configured through multiple ports for the same firewall.
  • Provision of network protection systems according to the services requiring protection, for example: Intrusion Prevention System (IPS).

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Clause (4): Periodic Maintenance Procedures

  • Conduct periodic maintenance of network security devices, adhering to appropriate configuration rules and continuously updating them.
  • Provide all computing devices connected to the Company's network (desktops, laptops, servers, software) with updates for virus and malware protection (Antivirus/Antimalware).
  • Perform periodic updates for operating systems, applications, and various software.
  • Implement a monitoring and access control system for the Server/Data Room from both inside and outside using available and appropriate means.
  • Physical separation between different service systems according to security levels (in case of using a virtualized environment).
  • Notify the Authority in the event of security incidents at the IT infrastructure and operating systems level.

Clause (5): Time Synchronization

The Company shall synchronize the time for all information systems, devices running these systems, and all networks, ensuring a unified time identical to that of the Exchange's systems.

Clause (6): Logging and Record Retention

The Company shall be obligated to log all activities occurring on all devices (computers, network devices, information security devices) for a period of no less than five years from the date of the activity, along with their dependent auxiliary devices (System Logs, Security Logs, and Application Logs).

Clause (7): Disaster Recovery Site

  • The Company shall provide a Disaster Recovery Site equipped with the necessary server hardware to run applications operating at the main site, while maintaining a daily updated data copy (at the latest) and ensuring the protection and confidentiality of this data.
  • The Disaster Recovery Site shall be subject to the same operational and security controls as the Company's main site, enabling services to be activated at the backup site immediately upon the cessation of operations at the main site, following notification to the Authority.
  • In case of hosting the Disaster Recovery Site, all controls regarding the hosting of securities brokerage company services must be observed (in accordance with what the Authority issues in this regard).
  • Procedures for transferring the main or backup site shall not be implemented without obtaining the Authority's approval.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Part Two

Requirements Specific to Companies Operating Online Trading Systems

Without prejudice to the aforementioned technology infrastructure and information systems requirements for all securities brokerage companies, the provisions of this Part shall apply to securities brokerage companies operating online trading systems as follows:

Clause (7): Internet Connection Lines

A primary and a backup internet connection line must be available, operating in Active-Passive or Active-Active mode, with an effective connection capacity of no less than 1 Mb/s.

Clause (8): Central Servers and Operating Systems

Servers must be available to host the Company's official website and online trading application.

Clause (9): Customer Identity Verification Systems

Customer identity must be verified electronically using Multi-Factor Authentication technology, comprising at least two factors (Two-Factor Authentication), with the first factor being a username and password. The second factor may be one of the following means, for example:

  • One-Time Password (OTP)
  • Digital Signature Certificate
  • Any emerging electronic security measures approved by the Authority

The Company shall also comply with the following:

  • Provision of the technological infrastructure supporting verification technologies (Multi-Factor Authentication)
  • Provision of the technological infrastructure supporting electronic signature technology (Digital Signature), certified by a certificate from one of the entities authorized by the Information Technology Industry Development Agency (ITIDA)
  • The Company shall provide its clients with the option to subscribe to the electronic signature feature within 3 working days from the day following their request to subscribe, at actual costs.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Clause (10): Controls Specific to Electronic Signatures

The Company shall be obligated to inform online trading clients about the availability and importance of the electronic signature feature as follows:

  • Displaying a notification on the main screen of the online trading system indicating the availability of the electronic signature subscription option for any client wishing to use it, emphasizing that it represents one of the highest levels of security for the client and their transactions.
  • Including the aforementioned notification in the appendix of the client's account opening contract.

Clause (11): Online Trading System Controls

  • The website must be secured with an electronic certificate dedicated to identification and data encryption.
  • Information must be encrypted when delivered to clients so that their pages appear valid/secure, Certificate.
  • A unique Session ID must be issued for each connection, accompanied by a Time Stamp.
  • The online trading system must not allow access to a client's account from more than one browser or opening more than one session simultaneously.
  • Applications must be built on the basis of input validation (Field Validation).
  • The Company must retain complete records of tax statements and Transaction Logs for at least 5 years.
  • All login/logout operations and orders issued by clients and others must be logged.
  • The trading system must compel the client to change their account password upon first login after the initial password is created by the system administrator or changed for any reason.
  • The trading system must notify the client immediately upon successful password change through the agreed communication method mentioned in the contract.
  • The trading system must not allow ineffective connections with the client, and must send an SMS or email to the client.
  • The client must be notified and confirmed regarding any transaction affecting their account balance, through the agreed communication method mentioned in the contract.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority

Smart Village, Building 84 - B Km 28, Cairo/Alexandria Desert Road Giza Governorate, Postal Code: 12577

Tel: (+202) 3577004 Fax: (+202) 3534532 Email: info@efsa.gov.eg Website: www.efsa.gov.eg

Share