Region

Jurisdiction

Regulator

2023-12-29

Instruction No. 79/AMF-UMOA on the Information System Requirements of the Regional Securities Market (BRVM)

The West African Monetary Union Financial Markets Authority (AMF-UMOA) issues Instruction No. 79/AMF-UMOA to establish mandatory security and risk management standards for the Regional Securities Market (BRVM). The regulation mandates strict IT controls, including comprehensive audit trails, robust user authentication protocols, and a formalized incident management framework with specific reporting timelines. It further requires the BRVM to maintain a Business Continuity Plan with defined Recovery Time and Point Objectives, conduct triennial security audits, and implement rigorous change management and data protection procedures.

Senegal

Autorite des Marches Financiers de l'UMOA

AMF-UMOA

AUTORITÉ DES MARCHÉS FINANCIERS DE L'UNION MONÉTAIRE OUEST AFRICAINE

INSTRUCTION NO. 79/AMF-UMOA/2023

ON THE INFORMATION SYSTEM REQUIREMENTS OF THE REGIONAL SECURITIES MARKET (BRVM)

The West African Monetary Union Financial Markets Authority,

Having regard to the Revised Treaty of the West African Monetary Union (UMOA) of July 12, 2019, which entered into force on October 1, 2022, modifying the name of the Regional Council for Public Savings and Financial Markets (CREPMF) to the West African Monetary Union Financial Markets Authority (AMF-UMOA);

Having regard to the Convention of July 3, 1996 establishing the Regional Council for Public Savings and Financial Markets, particularly its Annex on the composition, organization, functioning, and powers of the Regional Council for Public Savings and Financial Markets;

Having regard to the General Regulation relating to the organization, functioning, and control of the regional financial market of the UMOA;

Having regard to Instruction No. 2/97 of November 29, 1997 on the accreditation of the Regional Securities Market;

Having regard to Decision No. 004 of April 29, 2021/CM/UMOA appointing the President of the Regional Council for Public Savings and Financial Markets;

Having regard to the deliberations of the AMF-UMOA in its 98th ordinary session held on December 23, 2023, in Cotonou, Republic of Benin;

HAS ADOPTED:

2/12 Instruction No. 79/2023/AMF-UMOA

TITLE 1. GENERAL PROVISIONS AND OBLIGATIONS

Article 01: Definitions

For the purposes of this Instruction, the following terms are defined as:

a) Computer Incident: Any event that is not part of the standard functioning of a service and which causes, or may cause, an interruption or a reduction in the quality of that service.

b) Software Platform: Business software used by the Regional Securities Market (quoting software, surveillance software, etc.).

c) Audit Trail: Chronological recording of system activities showing all additions, deletions, and changes made to the system, which allows reconstructing and controlling an operation from its origin to its completion.

d) Business Continuity Plan: A formalized strategic document, regularly updated, for planning reaction to a disaster or serious damage. Its objective is to minimize the impacts of a crisis or natural, technological, or social disaster on the activity (and thus the sustainability) of a company.

e) User Profile: Description of a user showing the rights they benefit from in the business software.

f) RPO (Recovery Point Objective): The RPO quantifies the data that an Information System can lose as a result of an incident. Usually, the RPO expresses a duration between the incident causing data loss and the date of the most recent data that will be used to replace the lost data.

g) RTO (Recovery Time Objective): The RTO represents the maximum acceptable duration of interruption during which a resource (computer, system, network, software) may be non-functional following a failure or disaster.

Article 02: Purpose

This Instruction sets the rules regarding security and risk management of the information system of the Regional Securities Market (BRVM).

Article 03: Scope of Application

This Instruction applies to the Regional Securities Market.

3/12 Instruction No. 79/2023/AMF-UMOA

TITLE 2: INFORMATION SYSTEM SECURITY DEVICE OF THE BRVM

Article 04: Audit Trail

An audit trail must be configured on every software platform to guarantee the recording of actions performed by users of that platform and thus ensure their traceability. Furthermore, access to this audit trail must be restricted so as to be inaccessible to data administrators.

Article 05: Logging and Right of Access to the Audit Trail

The business software, Databases, and Operating Systems of the BRVM must possess security characteristics that allow logging of actions performed and thus detect and analyze any irregularity.

This logging (activation of the audit trail) must be effective on business software.

The audit trail of business software must be secured (protected against any modification) and archived adequately to guarantee its integrity and its quality as evidence. It must be accessible only to the Audit or Internal Control Department.

The audit trail of business software as well as the logs of databases and operating systems must be retained for at least five (5) years to serve later in the event of disputes or for analysis purposes.

Article 06: User ID and Password for User Authentication

Access to business software must be done via user authentication (combination of identification and password) so as to authorize only authorized users. Furthermore, the identity of each user must be unique so as to link each activity on the software to a specific user.

Article 07: Prohibition of Simultaneous Access with the Same User Account

Business software should not allow the same user to open multiple sessions from a single or multiple machines.

Article 08: User Profiles

Each business software must have the user profile management functionality. User profiles must prevent the accumulation of incompatible functions and guarantee that the roles or access rights of users to each business software are consistent with the responsibilities of users within the BRVM.

4/12 Instruction No. 79/2023/AMF-UMOA

Article 09: Password Change on First Login

Generally, each new user of a business software is created with a generic password. Therefore, a change of this password on the first login must be mandatory to reduce the risk of identity theft.

Article 10: Automatic Disconnection of Users After Inactivity

Business software must offer the possibility to configure the disconnection of users from their session in case of inactivity in the software for a maximum duration of ten (10) minutes.

Article 11: Password Configuration (Length, Complexity, Duration, History, Locking)

The passwords of business software must be configurable so as to define the values of the following parameters:

the minimum password length must be eight (08) characters;
the complexity of the password (at least one uppercase letter, at least one lowercase letter, at least one special character, at least one alphanumeric character);
the maximum duration of the password cannot exceed ninety (90) days;
account locking after a number of login attempts not exceeding three (03).

Article 12: Encryption or Hashing of Password Files/Tables

The password files or tables of business software must be encrypted or hashed so that passwords are not readable by administrators of business software or Databases.

Article 13: Surveillance and Conduct of Security Examinations

The BRVM must closely monitor personnel possessing high access privileges to its systems, as they possess the knowledge and resources necessary to bypass the controls implemented in these systems and security procedures. The BRVM must mandatory proceed, once every three (03) years, to a security audit whose results are transmitted to the AMF-UMOA no later than May 15 of the year following the triennial period.

It must adopt the following controls and practices:

implement strong authentication mechanisms for privileged users, particularly for remote access;
limit the number of privileged users;
grant privileged access on a strict functional needs basis;

5/12 Instruction No. 79/2023/AMF-UMOA

record activities performed on systems by privileged users by activating audit logs;
prohibit privileged users from accessing system logs in which their activities and those of other users are recorded;
examine the activities of privileged users in a timely manner;
prohibit the sharing of privileged accounts;
prohibit suppliers from benefiting from privileged access to systems without close supervision.

The internal control of the BRVM must perform checks (reviews of profiles, access to computer systems, review of audit logs) to identify any irregularity related to the use of computer systems. Periodically and at least every semester (the months of January and July), the reports of these controls must be transmitted to the AMF-UMOA and retained by the BRVM.

TITLE 3: GOVERNANCE AND RISK MANAGEMENT

Article 14: Security Device

In the context of managing risks inherent to information systems, the BRVM must put in place a device allowing, in a continuous manner, to identify and evaluate risks, with a view to reducing or managing them. It elaborates, for this purpose, its risk management strategy approved by its governing bodies.

It must use the following non-exhaustive best practices:

ensure that a solid framework for technological risk management is established and maintained;
ensure that effective internal controls and risk management practices are implemented to ensure the security, reliability, resilience of systems, and business recovery;
establish IT policies, standards, and procedures, which are essential components of the technological risk management framework. Due to rapid changes in the environment and IT security, policies, standards, and procedures should be regularly reviewed and updated;
implement compliance processes to verify that IT security standards and procedures are applied. Monitoring processes should be implemented so that compliance deviations are known and corrected in a timely manner;
put in place an employee awareness program on IT security. This program should be regularly updated to ensure its content remains relevant, given the evolution of technology and associated risks;
conduct a triennial audit of its information system.

6/12 Instruction No. 79/2023/AMF-UMOA

Article 15: IT Security Policy

The BRVM develops an IT security policy adapted to its activity and its own IT infrastructure, compliant with the most widespread security requirements on the market and notably the ISO 27001 standard.

This policy must be approved by the Board of Directors of the BRVM and communicated to all users of the Information System (employee, provider). It is updated regularly, at least every three years, to take into account the evolution of the internal and external environment.

Article 16: Business Continuity Plan

The BRVM must ensure that its organization, system, and procedures are designed to maintain their critical functions or restore them as quickly as possible in order to fulfill its obligations towards the regulatory authority and approved market users.

To this end, the development of a business continuity plan including an IT backup plan is mandatory. The business continuity plan must be approved by the Board of Directors. This plan must provide, among other things, at minimum the following aspects:

an identification of the company's processes of strategic importance, which are critical and necessary for its survival, and a minimum system configuration capable of supporting said processes;
an evaluation of risks, vulnerabilities, and impacts which will lead to the identification of indispensable human resources, important data for the BRVM, and the efficiency of mitigation controls for existing risks;
a definition of the business continuity strategy, including plan trigger criteria, a recovery site with its description, a presentation of the crisis team with persons authorized to trigger the plan, the acceptable recovery time (RTO: Recovery Time Objective), and the acceptable amount of data loss (RPO: Recovery Point Objective);
training and awareness programs for the plan;
the update and testing program of the business continuity plan.

The BRVM must have a fallback site.

The BRVM's fallback site must be established in at least one other UMOA member State to mitigate the risk that the same disaster affects both sites.

The acceptable full recovery time (RTO: Recovery Time Objective) after a disaster is 24 hours.

The acceptable amount of data loss (RPO) is set at two (02) hours of data.

The exercise to evaluate the effectiveness of the plan must concern, in a non-exhaustive manner, verifiable aspects: (i) the alert procedure, (ii) the functioning of the crisis cell, (iii) the technical failover procedures in backup mode, (iv) the coordination of different stakeholders, during a simulated response exercise to a serious incident, (v) targeted training

7/12 Instruction No. 79/2023/AMF-UMOA

of personnel to technical procedures, (vi) the degree of ownership of the plan by BRVM personnel, (vii) the testing of critical plan elements at least once a year, and (viii) regular testing of the backup recovery procedure to verify its adequacy to the organization's needs.

Periodically and at least once a year, the plan must be tested to verify its effectiveness. The test report must indicate the test results, identified weaknesses, and an execution plan to correct these weaknesses.

Article 17: Data Backup and Restoration

The BRVM ensures that its information security policy guarantees the integrity of data backups on appropriate media, the conduct of regular restoration tests, and the off-site relocation of backup media to a remote site.

Article 18: Access to IT Infrastructure

Access to the BRVM's IT infrastructure must rely on strong authentication solutions that allow, with a very high degree of assurance, to verify the identity of users. It must use in this regard controlled gateways between the internet and its own IT infrastructure, such as firewalls, proxy servers, antivirus scanners, and content scanners, or other similar up-to-date security solutions. It must ensure that these gateways are correctly designed, configured, and secured, and that they are subject to professional daily management and rigorous monitoring.

Article 19: Incident Management

The BRVM puts in place an information security incident management framework, in order to treat them and contain their impact. It must have an incident management procedure validated by the General Management, which must:

specify which types of incidents it applies to;
establish the roles and responsibilities of personnel involved in the incident management process;
define a method for reporting incidents after their detection;
specify the priority of incidents based on urgency and impact;
define the strategy for assigning incidents to personnel responsible for their resolution taking into account escalations;
allow tracking and supervising incident management (traceability of any incident) in order to know at any time the resolution level of an incident and to close resolved incidents;
explain the tasks and responsibilities regarding internal and external communication concerning major incidents.

8/12 Instruction No. 79/2023/AMF-UMOA

An incident report taking into account the state and impact of the incident, corrective measures adopted, recommendations, and the implementation plan must be transmitted annually, in January, to the AMF-UMOA.

Finally, any major incident must be systematically communicated to the AMF-UMOA within a period of 24 hours.

TITLE 4: CHANGE MANAGEMENT

Article 20: Application Maintenance

The BRVM must put in place a formalized application maintenance environment. This must include a test (homologation) environment and a production environment. These two environments must be clearly separated and allow the application maintenance process through the phases of correction, acceptance testing, and validation before production deployment.

Periodically, the homologation environment must be updated in terms of its configuration to respond efficiently and objectively to the tests to be performed there.

Article 21: Change Management Process for Production Systems

The BRVM must establish a change management process to ensure that modifications made to production systems are evaluated, approved, implemented, and reviewed appropriately. The change management process must apply to modifications related to software changes and updates, system configurations, and security.

This process must be governed by a change management procedure. This procedure, validated by the Board of Directors, must include the following main steps:

initiation of the change;
analysis of the risks and impact of the change;
authorization of the change;
prioritization of the change;
quality assurance tests, user acceptance testing (UAT);
rollback plan;
decision to deploy the change to production;
deployment of the change to production respecting the principles of separation of duties;
documentation of the change, user training, and distribution of training materials to users;
post-implementation monitoring of the change.

9/12 Instruction No. 79/2023/AMF-UMOA

TITLE 5: MANAGEMENT OF RISKS RELATED TO THE INFORMATION SYSTEM

Article 22: Risk Management Process Related to Information Systems

In the context of managing risks inherent to information systems, the BRVM puts in place a device allowing, in a continuous manner, to identify and evaluate risks, with a view to reducing or managing them. It elaborates, for this purpose, its risk management strategy approved by its Board of Directors. The BRVM proceeds or has proceedings, if necessary, at its expense, to the necessary controls for the security of installations and other equipment. It addresses the minutes of these controls to the AMF-UMOA, upon its express request. The BRVM implements the necessary human and material means for security and safety, for the operation of the installations at its disposal.

Article 23: Protection Against Malware and Computer Hacking

The BRVM puts in place prevention, detection, and correction measures, in order to protect its information system against malware and computer hacking.

The General Management of the BRVM must integrate into its annual management report to the Board of Directors a situation of major incidents that occurred during the previous year.

Article 24: Securing Networks, Terminals, and Information

The BRVM takes appropriate security measures to protect information transiting through its network, as well as through its connections with users, data providers, and the AMF-UMOA. It ensures that terminals accessing its system have the necessary authorizations. Furthermore, it puts in place adequate configuration, with a view to managing risks inherent to the connection of external users to its information system.

Article 25: Management of Identities and Logical Access to Information Systems

The BRVM ensures that each user, data provider, or member of its personnel is identified and authenticated before any access to information systems, and that they have adequate access rights. Each action must be traceable to its author.

Article 26: Physical and Environmental Security Device

The BRVM equips itself with a device for managing physical access of its personnel and third parties to its secure premises. The premises housing its data center must be equipped with appropriate environmental protection devices, notably smoke and water detectors, automatic fire extinguishing systems, as well as temperature probes.

10/12 Instruction No. 79/2023/AMF-UMOA

Article 27: Management of IT Service Providers

IT service providers play an important role in the management of the BRVM's systems and processes. A meticulous selection and control of IT service providers are essential