NLD AFM issued guidelines for investment firms for reporting incidents after its investigation identified a number of possible causes for the lack of those reports.
Follows Sep. 2021, NLD AFM continued incident reporting investigation, see #94432.
Investigation Findings
Since 2020, NLD AFM has been been paying extra attention to incidents at investment firms, and at managers of investment institutions and/or UCITS companies.
Investigation found companies' policies do not always properly define what constitutes a potential incident, also found major differences in depth and scope of the definition.
Thus unclear to employees using the policy, which potential events qualify as incidents.
Several companies lacked a description of roles and responsibilities and / or instructions on how and where employees can report potential incidents.
Also found no or insufficient records of decision-making on incidents.
Investment companies that are mainly IT-driven have extensive procedures and measures in place to detect, evaluate and possibly report incidents.
Policies sometimes focus too extensively on incidents of an operational nature.
Risk that assessments are carried out ad hoc and inconsistently.
Next Steps
AFM expects institutions to use report to determine and implement improvements.
Firms must comply with Digital Operational Resilience Act (DORA) regulation from Jan. 17, 2025, which includes standards for management, reporting of ICT incidents.
Urged companies to begin preparations in good time for compliance, see #137568.
Regulators
NLD AFM
Entity Types
HF; IA; Inv Co
Reference
Gd, PR, 5/25/2023; DORA Dir 2022/2556, Reg 2022/2554
