R-CNMV-2024-08-MV — Regulation on Cybersecurity and Information Security in the Securities Market

Superintendencia del Mercado de Valores de la República Dominicana CERTIFICATION The undersigned, Mr. Ervin Novas Bello, Manager of the Central Bank of the Dominican Republic (hereinafter "Central Bank"), representing the Governor of the Central Bank, ex officio member and President of the National Securities Market Council (hereinafter "Council"); and Mrs. Fabel María Sandoval Ventura, Secretary of the Council, CERTIFY that the text below constitutes a faithful copy transcribed in its entirety in accordance with the original of the Second Resolution, R-CNMV-2024-08-MV, adopted by the Council in the meeting held on the sixteenth (16) day of July of the year two thousand twenty-four (2024), which is kept in the archives of this Secretariat, namely:

"SECOND RESOLUTION OF THE NATIONAL SECURITIES MARKET COUNCIL OF THE SIXTEENTH (16) DAY OF JULY OF THE TWO THOUSAND TWENTY-FOUR (2024). R-CNMV-2024-08-MV REFERENCE: Approval of the Regulation on Cybersecurity and Information Security in the Securities Market.

WHEREAS: That on the first (1st) day of July of the year two thousand twenty-four (2024), the Superintendent of the Securities Market (hereinafter "Superintendent") submitted to the knowledge and consideration of the National Securities Market Council (hereinafter "Council") the draft Regulation on Cybersecurity and Information Security in the Securities Market (hereinafter "Draft Regulation").

That the Council, in compliance with the powers conferred by Law No. 249-17 on the Securities Market of the Dominican Republic, which repeals and substitutes Law No. 19-00 of the eighth (8) day of May of the year two thousand (2000), promulgated on the nineteenth (19) day of December of two thousand seventeen (2017), and its modification (hereinafter "Law No. 249-17"), and in accordance with the provisions of the Internal Regulation of the National Securities Market Council, adopted by this collegiate body through the First Resolution, R-CNMV-2018-06-MV, of the twenty-ninth (29) day of November of two thousand eighteen (2018) (hereinafter the "Internal Regulation of the Council"); duly convened with the corresponding supporting documentation, deems it appropriate to state the following:

CONSIDERING:

1. That in accordance with Article 6 of Law No. 249-17, the Superintendency is an autonomous and decentralized administrative, financial, and technical organism of the State, endowed with legal personality, its own assets, and autonomy.

2. That according to Article 7 of the aforementioned legislation, the Superintendency's purpose is to promote an orderly, efficient, and transparent securities market, protect investors, ensure compliance with the aforementioned legal statute, and mitigate systemic risk, through the regulation and supervision of natural and legal persons operating in the securities market.

3. That, in accordance with Article 10 of Law No. 249-17, the Securities Market Superintendency (hereinafter "Superintendency") is composed of a collegiate body, the Council, and an executive official, the Superintendent.

4. That the aforementioned law, in the main part of its Article 13, establishes that the Council is the superior body of the Superintendency, with essentially normative, supervisory, and control functions.

5. That, likewise, said Article 13, in its items 4 and 5, confers upon the Council the authority to issue regulations for the application of Law No. 249-17, as well as to periodically review the regulatory framework of the securities market, adapting it to market trends and realities, while empowering it to propose, on its own initiative or upon proposal of the Superintendent, the necessary modifications.

6. That, in this order, Article 25 of Law No. 249-17 establishes that "[t]he Council is the competent body to establish regulations regarding the activities of the securities market indicated in this law. It corresponds to the Superintendency the development of technical or operational norms derived from this law and the applicable regulations and necessary norms, for the exercise of its power of internal self-organization."

7. That, in addition to the above, by virtue of Article 17, item 14, of the aforementioned norm, the Superintendent is invested with the authority to issue resolutions, circulars, and instructions required for the development of Law No. 249-17 and its regulations.

8. That Article 25, paragraph I, of Law No. 249-17 adds that "[i]n the exercise of regulatory power, the Council and the Superintendency shall observe the principles of legality and the rules of public consultation, participation, and transparency contained in the Constitution of the Republic and the laws in force."

9. That Article 4 of the aforementioned legal provision establishes that the securities market shall be governed with strict adherence to the Constitution of the Republic, what is prescribed in said law and in the regulations and resolutions issued by the Council and the Superintendency, within the scope of their respective competencies; being applicable subsidiarily, in matters not specifically provided for in the aforementioned norms, the general provisions of administrative law, corporate, commercial, monetary and financial legislation, trust law, common law, and commercial usages, in the order cited.

10. That it is worth highlighting that Article 2 of Law No. 249-17 reveals that the provisions contained in said statute apply to all natural and legal persons who carry out activities, operations, and transactions in the securities market of the Dominican Republic, with public offering securities that are offered or negotiated within the national territory.

11. That, parallel to this, in the paragraph of the mentioned article it is established that "[n]atural and legal persons who carry out any of the activities or services provided for in this law shall be subject to the regulation, supervision, and inspection of the Securities Market Superintendency, regarding the exercise of those mentioned activities or services."

12. That among the powers vested in the Superintendent in accordance with Article 17, items 2 and 11, the following stand out: "2) Comply with and enforce the provisions of this law and its regulations, ensuring the correct application of its principles, policies, and objectives.

8. Supervise, inspect, and monitor the activities and operations of securities market participants.
9. Require the information that natural and legal persons registered in the Registry must supply."

13. That, for its part, Article 36 of Law No. 249-17 expresses that "[t]he Superintendency shall have a Registry available to the public, which may be electronic, and in it shall be registered the natural and legal persons who participate in the securities market, as well as public information regarding the securities registered in the Registry and the participants in the securities market regulated by this law."

14. That, according to what Article 3, item 33, of the aforementioned legal provision states, participants in the securities market are natural or legal persons registered in the Securities Market Registry and regulated by the Superintendency.

15. That through communication received in the Council's Secretariat on the sixteenth (16) day of April of the year two thousand twenty-four (2024), the Superintendent submitted to the knowledge and final approval of this collegiate body the draft Regulation, together with a justificatory file.

16. That in said letter it is informed that the object of the draft Regulation is to establish the general criteria and guidelines that market participants must adopt to ensure the integrity, availability, and confidentiality of information, as well as the optimal functioning of information systems and technological infrastructure. Likewise, to establish the adoption and implementation of practices for the management of cybersecurity and information risks.

17. That the indicated communication states that, in compliance with the applicable current legal framework, the draft Regulation was submitted to public consultation from the twenty-fifth (25) day of April to the twenty-ninth (29) day of June of the year two thousand twenty-three (2023), inclusive; receiving comments from various actors in the private sector.

18. That, likewise, from the documents accompanying the Superintendent's communication, it is highlighted that, as a result of said consultative process, comments were received from: the Dominican Association of Investment Fund Management Companies, Inc. (ADOSAFI), the Dominican Association of Stock Exchanges, Inc. (APB), the BHD Financial Center, CEVALDOM Centralized Securities Depository, S.A., Stock and Securities Markets S.A. (BVRD), the Cibao Association of Savings and Loans; and the La Nacional Association of Savings and Loans.

19. That it is highlighted that the technical body involved in the analysis of the observations and comments presented by the market includes officials and collaborators from the Directions of Participants, Information and Communication Technology; Regulation and Innovation, Public Offering; Legal, and Risk Analysis and Economic Studies.

20. That from the pieces composing the file, a matrix is highlighted that collects the observations and comments presented, duly analyzed and responded to by the Superintendency's technical team; subsequently, as part of the administrative procedure and in accordance with the principles of transparency and participation, a working table -in virtual mode- was held with interested sectors on the fifteenth (15) day of April of the year two thousand twenty-four (2024).

21. That, likewise, in the documents presented to the Council there is a list of relevant data in which it is explained that the draft Regulation contemplated the following improvements from the consultation process, namely:

• The wording of the Scope was adapted.
• Financial Intermediation Entities were exempted from the Scope of the Regulation.
• Definitions of Attack and Event were included.
• The reference to effective practices of the governance framework was eliminated.
• Access control mechanisms were adapted.
• The article on system development environments was eliminated.
• The periodicity of the review of Registers and monitoring of administrator users was modified.
• The responsibilities of the Board of Directors were adapted.
• The composition of the Cybersecurity Functional Committee was modified.
• The entry into force of the regulation and the adaptation period were modified." [sic]

22. That subsequently, through communication received in the Council's Secretariat on the first (1st) day of July of the year two thousand twenty-four (2024), the Superintendent reintroduced to the Council an updated version of the draft Regulation, due to wording adjustments made by virtue of observations and comments presented by the technical team of the Central Bank of the Dominican Republic on the fourteenth (14) day of June of the year two thousand twenty-four (2024).

23. That, according to what is explained in the document titled "Statement of Reasons," in the development of the Regulation, best practices in the regulation of the Securities Market have been considered, especially the objectives and principles established by the International Organization of Securities Commissions (IOSCO), in adherence to the legal framework of the Dominican Republic.

24. That it is added that IOSCO contemplates the need for regulators to be at the forefront regarding the growing development of technology and advances in the area of e-commerce.

25. That, as reasoned in said document, given the development of technology -and its associated risks due to the growing wave of cyberattacks- and the importance it has taken on in the Dominican securities market, it is necessary to establish the general criteria and guidelines that securities market participants must adopt in matters of cybersecurity and information security for internal control, use of tools, optimal functioning of systems, infrastructure, security, confidentiality, and risk management regarding these, with the aim of mitigating systemic risk and ensuring the protection of investors.

26. That it is explained that an operational failure in the Securities Market can negatively affect financial stability; for this reason, it is fundamental that entities identify which are their critical operations and supporting information assets, in order of priority, understand their internal situation and external dependencies, which is the key to being able to respond effectively to possible cyber threats that may arise.

27. That, considering the systemic risk this matter represents in the securities market, the draft Regulation will be mandatory for the following securities market participants: a) Securities intermediaries. b) Management companies of centralized trading mechanisms. c) Centralized securities depositories. d) Companies that administer clearing and settlement systems. e) Central counterparty entities.

28. That, likewise, investment fund management companies, public offering trust companies, securitization companies, price-supplying companies, and legal person investment promoters will be subject to the mandatory compliance with Titles III and VII of the draft Regulation; they may voluntarily adhere to the remaining provisions.

29. That, likewise, the application of the draft Regulation will extend to entities that provide services through the maintenance of an electronic connection or the exchange of essential information, through any digital medium, to the extent that such linkage could compromise the stability of the securities market.

30. That, in view of all the above, weighing the reports and documentation submitted by the technical area of the Superintendency, this collegiate body is of the opinion that the draft Regulation can be favorably accepted.

SEEN: a. The Constitution of the Dominican Republic, voted and proclaimed by the National Assembly on the thirteenth (13) day of the month of June of the year two thousand fifteen (2015), published on the tenth (10) day of July of two thousand fifteen (2015). b. Law No. 249-17 on the Securities Market of the Dominican Republic, which repeals and substitutes Law No. 19-00 of the eighth (8) day of May of the year two thousand (2000), promulgated on the nineteenth (19) day of December of two thousand seventeen (2017), and its modification. c. Law No. 107-13 on the Rights of Persons in their Relations with the Administration and Administrative Procedure, of the sixth (6) day of August of the year two thousand thirteen (2013). d. Law No. 200-04, General Law on Free Access to Public Information, of the twenty-eighth (28) day of July of the year two thousand four (2004). e. The Regulation of the General Law on Free Access to Public Information, approved through Decree No. 130-05, of the twenty-fifth (25) day of February of the year two thousand five (2005). f. The Internal Regulation of the National Securities Market Council, issued through the First Resolution, R-CNMV-2018-06-MV, of the twenty-ninth (29) day of November of the year two thousand eighteen (2018). g. The Regulation of the General Law on Free Access to Public Information, approved through Decree No. 130-05, of the twenty-fifth (25) day of February of the year two thousand five (2005). h. The communication received in the Council's Secretariat on the sixteenth (16) day of April of the year two thousand twenty-four (2024), signed by the Superintendent, and attached documentation. i. The communication received in the Council's Secretariat on the first (1st) day of July of the year two thousand twenty-four (2024), signed by the Superintendent, and annexes cited. j. The other documents that make up the file.

THEREFORE: After having studied and deliberated on the matter, the Council, in the exercise of the powers conferred by Law No. 249-17, by unanimous vote of the members present at the session, attending to the motives exposed,

RESOLVES: FIRST: APPROVE the definitive version of the draft Regulation on Cybersecurity and Information Security in the Securities Market; in accordance with the document presented by the Regulation and Innovation Directorate, through the Superintendent, the content of which is copied textually below:

"REGULATION ON CYBERSECURITY AND INFORMATION SECURITY IN THE SECURITIES MARKET"

TITLE I GENERAL PROVISIONS CHAPTER I Object and Scope

Article 1. Object. To establish the general criteria and guidelines that Securities Market Participants must adopt to ensure the Integrity, availability, and Confidentiality of Information and the optimal functioning of Information systems and Technological Infrastructure. Likewise, to establish the adoption and implementation of practices for the management of Cybersecurity and Information Risks.

Article 2. Scope. The provisions of this Regulation apply to:

1. Securities intermediaries;
2. Management companies of centralized trading mechanisms;
3. Centralized securities depositories;
4. Central counterparty entities;
5. Investment fund management companies;
6. Public offering trust companies;
7. Securitization companies; and,
8. Price-supplying companies.

Paragraph I. This Regulation comprises the normative provisions relating to the general regime for the comprehensive management of Technological, Cybersecurity, and Information Risks, as well as the establishment of provisions relating to the internal governance of Securities Market Participants. The provisions contained in this Regulation shall be supplementary for Securities Market Participants who, by virtue of their participation in the payment and settlement system of securities and the corresponding exchange of Essential Information, fall within the scope of application of specialized legislation issued by the Monetary Board related to these Risks; therefore, the latter shall be the main applicable regime for said entities.

Paragraph II. Securities Market Participants who are not subject to the payment and settlement system of securities and to whom Access to the Cybersecurity Incident Response Team for the Financial Sector (CSIRT) is granted by the Central Bank of the Dominican Republic must submit requirements regarding Incidents in accordance with what is established in the Cybersecurity and Information Security Regulation issued by the Monetary Board.

Paragraph III. The Superintendent of the Securities Market Superintendency (hereinafter, the "Superintendent") may develop through technical or operational norm the minimum requirements applicable to Issuers. Financial Intermediation Entities regulated and supervised by the Monetary and Financial Administration shall be subject only to the provisions on the matter issued by their sectoral regulator.

Paragraph IV. The Superintendent may issue minimum provisions and guidelines in matters of Cybersecurity and Information Security for the purpose of allowing the connection of Securities Market Participants, including those not subject to the Scope of this Regulation, to the systems of the Securities Market Superintendency (hereinafter, the "Superintendency").

CHAPTER II Definitions

Article 3. Definitions. In addition to the terms defined by Law No. 249-17 on the Securities Market of the Dominican Republic of the nineteenth (19) day of December of two thousand seventeen (2017), which repeals and substitutes Law No. 19-00 of the eighth (8) day of May of the year two thousand (2000) (hereinafter, the "Law") and its implementing regulations, for the purposes of this Regulation, the terms and concepts detailed below have the following meaning:

1. Access: Capacity and means to communicate or interact with a system, use resources of said system to manage and acquire knowledge of the Information it contains or control its components and functions.

2. Threat: Unfavorable circumstance that may occur and that, if it happens, would have negative consequences on Cybersecurity and Information Security. A Threat may have natural causes, be accidental, or intentional. If this unfavorable circumstance occurs simultaneously with the existence of a Vulnerability or weakness in the systems or taking advantage of its existence, it may result in a security Incident.

3. Attack: Attempt to obtain unauthorized access to systems, their resources, services, or Information, or to compromise their Integrity. It includes any type of malicious activity intended to collect, degrade, or destroy Information system resources, the Information contained therein, interrupt or deny...