Region

Jurisdiction

Regulator

2014-01-01

Decision No. 316 of 2014 Regarding Technological Infrastructure and Information Security Requirements for Securities Companies' Hosting Service Providers

The Egyptian Financial Supervisory Authority issued Decision No. 316 of 2014 to mandate specific technological infrastructure and information security standards for securities companies and their hosting service providers. The decision requires hosting providers to be registered with the Authority and establishes that securities companies remain solely responsible for the management and security of their own data and systems. It further details technical specifications for internal networks, hardware, connectivity, and software to ensure operational efficiency and data protection.

Egypt

Financial Regulatory Authority Egypt

Chairman of the Board of Directors

Decision No. (216) of 2014

Dated 10/4/2014

Regarding the Technological Infrastructure and Information Security Systems Requirements

To be available to Hosting Service Providers

for Companies Working in Securities

Chairman of the Egyptian Financial Supervisory Authority (EFSA)

After reviewing Law No. 95 of 1992 issued regarding the Capital Market and its Executive Regulations, the Law on Central Deposit and Registration of Securities issued by Law No. (93) of 2000 and its Executive Regulations, Law No. 10 of 2009 issued regarding the regulation of supervision on non-banking financial markets and instruments, Presidential Decision No. 192 of 2009 issued regarding the Basic Statute of the Egyptian Financial Supervisory Authority, Decision No. (68) of 2012 of the Chairman of the Board of Directors of the Authority, Decision No. (105) of 2013 of the Board of Directors of the Authority, and the Board of Directors' decision in its session held on 25/11/2013 delegating the Chairman of the Authority to issue a unified decision regulating the requirements of technological infrastructure and information security systems to be available to hosting service providers for companies working in securities.

Decided

(Article One)

The Technical Specifications Manual of the Authority attached to this decision, which contains the necessary procedures for companies working in the field of securities, whether related to basic technological infrastructure or software, forms an integral part of this decision.

(Article Two)

Companies working in the field of securities and companies providing hosting services for companies working in securities are committed to what is stated in this decision and its attachments, and what is stated in Decision No. (105) of 2012 of the Chairman of the Authority, and any amendments that occur to these decisions, each regarding its part.

(Article Three)

Companies working in the field of securities may operate their automated services either for their main office or backup office, or both, with one of the hosting service providers, provided that the hosting service provider is registered in the Registry of Hosting Service Providers for Companies Working in Securities at the Authority.

(Article Four)

The Authority forms a committee to examine and study the documents submitted by companies working in the field of providing hosting services for companies working in securities for registration in the Authority's registry, and the committee may enlist the assistance of members with expertise.

(Article Five)

The Authority registers hosting companies for companies working in securities - after verifying compliance with the prescribed conditions and paying the service fee determined by the Board of Directors - in a special registry established for this purpose, and the registration is valid for two years from the date of obtaining it for a similar duration, and the conditions and rules begin.

(Article Six)

Without prejudice to the Service Level Agreement (SLA) between the hosting company for companies working in securities and the company working in the field of securities, the company working in the field of securities is responsible - alone - for the management and security of its data and technological infrastructure systems.

(Article Seven)

This decision and its attachments shall be published in the Egyptian Gazette and on the electronic website of the Egyptian Financial Supervisory Authority, the Egyptian Exchange, and Egypt Clear on the day following the date of its publication in the Egyptian Gazette, and any provision contrary to the provisions of this decision and its attachments is repealed.

Chairman of the Authority Sherif Samy

Attachments

Technological Infrastructure and Information Security Systems Requirements
Technical Specifications Manual of the Egyptian Financial Supervisory Authority

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

Smart Branch, Building 15 B, Km 28 Cairo/Alexandria Desert Road, Giza Governorate, Postal Code: 12577 Email: info@efsa.gov.eg Website: www.efsa.gov.eg Phone: +202 2537 0040, Fax: +202 2537 0041

Technical Specifications Manual of the Egyptian Financial Supervisory Authority

Introduction

The Egyptian Financial Supervisory Authority is pleased to prepare the unified procedures manual which includes all services provided by all sectors, central departments, general departments, and all administrative centers of the Authority. This manual aims to simplify procedures, improve interactions with the Authority, and preserve the time of the Authority's clients. It also represents a step towards implementing and ensuring the quality of services provided to the Authority's clients. This manual also ensures the services provided by the Authority to clients and the necessary documents for each service provided and the competent authorities within the Authority.

For this purpose, the Information Services Sector of the Authority has prepared the Technical Specifications Manual for the sector, which contains the necessary procedures for companies working in the field of securities, whether related to basic technological infrastructure or software. This manual has referred to the terms and definitions used, as well as the general instructions and controls that must be followed by both companies working in the field of securities and hosting companies.

The first chapter of this manual addressed the technical specifications for the basic infrastructure of companies working in the field of securities, as well as the construction of their internal networks, the network components assisting in their construction, and the specifications of devices connected to them. The specifications of connection lines connecting both companies working in the field of securities and hosting companies with both the Exchange and Egypt Clear were also reviewed. The use of trading systems as well as auxiliary trading systems was also indicated.

In the second chapter, hosting services were examined, which is the means that helps companies working in the field of securities to operate systems, applications, and programs through which they execute them through hosting companies. This chapter also reviewed the systems that can be hosted at hosting companies and the instructions to be followed regarding hosting companies when implementing the mentioned systems through them. In the third chapter, decisions and periodic letters issued by the Authority in this regard were indicated.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

Terms and Definitions Used in the Technical Specifications Manual of the Authority

The following words and phrases have the meanings specified below wherever they appear in this manual, unless the context indicates otherwise.

Phrases	Meanings
Authority	Egyptian Financial Supervisory Authority
Exchange	Egyptian Exchange
Clearing Company	Egypt Clear
System used for exchanging financial messages at the capital market level among various parties	Financial Information eXchange (FIX) Protocol
A pattern of networking infrastructure devices that includes at least two identical systems, where one works as the primary system and the other works as a backup system to replace the primary system in case of its unavailability for any reason	Active – Passive
A pattern of networking infrastructure devices that includes at least two identical systems, where both systems work as one system to distribute the operational load across more than one system	Active – Active
A system that works to isolate between two networks of the same type or several types and allows the flow of information between networks through a set of access control lists at least at the network level	Firewall
Contains saved records that include everything related to a specific activity through any component in the basic information technology infrastructure, and is recorded with time and date (System Logs, Security Logs, and Application Logs)	Logging Activities
The program responsible for protecting computers from viruses and potentially harmful elements	Antivirus/Antimalware
Data Center / Information Center	Data Center
Trading workstation system, which is a system directly connected to the Exchange and allows authorized persons to enter customer orders	TWS (Trading Workstation System)
Auxiliary Trading Systems System (Financial Solvency)	LDM (Listing Disclosure Membership)
Electronic Coding System for Clients at the Egyptian Exchange	Coding System
Settlement System in use at Egypt Clear	Settlement
Bookkeeping System in use at Egypt Clear	Book Keeping System

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

Internal or Local Network that connects all connected devices to the external network	Local Area Network (LAN)
Personal Computer	Personal Computer (PC)
A high-specification computer used as a server and on which applications and programs required to be run and executed on the network are installed	Server
A network component which is a device used to connect the internal network to the external network and the Internet	Router
Hosting Company	Hosting Company
Connection Service Provider	Internet Service Provider (ISP)
Primary Dealers System	Primary Dealers System
Borrowing cost that was prepared and developed to reduce the bond market and increase its liquidity while reducing government borrowing costs and providing financial instruments, with the aim of taking over the process of issuing government securities in the primary market, and acting as a market maker in the secondary market	Primary Dealers System

General Instructions and Controls

Brokerage companies must deal directly with ISP service providers dealing with both the Exchange and Egypt Clear only, without any intermediary.
The ISP service provider must be classified by the telecommunications regulatory authority and NTRA as Class (A).
Connection lines must be used only for their designated purpose, whether for connecting a brokerage company or a hosting company to the Exchange or to Egypt Clear.
The Router is used only for its designated purpose, whether for connection to the Exchange or to Egypt Clear.
It is not used for connection to any other entities or for connection to the Internet.
The brokerage company is responsible for monitoring the consumption of connection lines between it and the Exchange and Egypt Clear, as well as their maintenance.
The hosting company is responsible for monitoring the consumption of connection lines between it and both the Exchange and Egypt Clear, as well as their maintenance, in coordination with the benefiting brokerage company, and sending the report issued by it to the Authority and a copy to the Exchange and Egypt Clear for study and opinion if necessary.
All operating systems and applications on all devices at the company working in the field of securities or the hosting company must be licensed and updated.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

The Antivirus/Antimalware system must be installed on all devices of the company working in the field of securities as well as the hosting company, and it must be licensed and updated to ensure efficient operation.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

Chapter One

Technical Specifications for the Basic Infrastructure of Companies Working in Securities

Item 1: Internal Network

The design, construction, installation, and setup of the Internal Network (Local Area Network) LAN for the company working in the field of securities, as well as its maintenance, are the sole responsibility of the company working in the field of securities.

The internal network may include the following devices in its structure:

Personal Computers (PC)
Laptops
Servers
Printers, Scanners, and Copiers
In addition to some other network components such as Cores, Switches, Hubs, Routers, Network Cards, Wires, Connectors, and Information Card Terminators

Item 2: Specifications of Devices Constituting the Internal Network

First: Personal Computers (PC)

Personal Computers (PC) and Laptops connected to the internal network must be produced by original brand companies and must be capable and efficient in running the applications and programs of the trading system as well as auxiliary trading systems such as (Settlement, Book Keeping, Coding, LDM, and TWS Systems) in addition to the Primary Dealers System.

Second: Servers

Servers must be produced by original brand companies and must be capable and efficient in running applications and all programs, and capable of continuous operation without interruption and achieving the highest levels of data security, whether the servers work separately (Physical Servers) or work using the virtualization environment (Virtualization) or any other means, and include the following servers:
- Application Server
- Database Server
- FIX Server (Financial Information eXchange Server)
- Web Server

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)

Item 3: Connection and Linking Means

First: Connecting the Brokerage Company to the Exchange via Connection Lines

One main connection line and one backup connection line must be available, such that the total speed of both lines together is not less than 1 Mbps, and the two lines can work in Active-Passive or Active-Active mode.
Connection lines provided by Connection Service Providers (ISP) are provided to clients only with the Exchange.
A Router containing exits for the external network must be provided, which must be compatible with the network.
Existing at the Exchange and which covers the number of lines to be connected with the Exchange, with at least one exit for the internal network (Ethernet).
The Exchange provides the brokerage company with the necessary information to prepare Router devices.

Second: Connecting the Brokerage Company to Egypt Clear via Connection Lines

One main connection line and one backup connection line must be available, such that the total speed of both lines together is not less than 1 Mbps, and the two lines can work in Active-Passive or Active-Active mode.
Connection lines provided by Connection Service Providers (ISP) are provided to clients only with Egypt Clear.
A Router containing exits for the external network must be provided, which must be compatible with the network.
Existing at Egypt Clear and which covers the number of lines to be connected with Egypt Clear, with at least one exit for the internal network (Ethernet).
Egypt Clear provides the brokerage company with the necessary information to prepare Router devices.

Item 4: Auxiliary Trading Systems

The brokerage company wishing to operate and use auxiliary trading systems such as (Coding, LDM, TWS Systems) as well as operating and using auxiliary trading systems of Egypt Clear such as (Book Keeping and Settlement Systems) must comply with the instructions mentioned.
The Exchange and Egypt Clear, each regarding its part, in this regard regarding the operation and use of any of the systems.

Egyptian Financial Supervisory Authority Egyptian Financial Supervisory Authority (EFSA)