After giving brokers and exchange operators a new reason to worry last week by announcing them that they would need to implement information security standards and obtain certification for them, the CNVM decided on Wednesday night to waive this requirement indefinitely. The decision of the Commission came after several rounds of discussions with the management of the Bucharest Stock Exchange and of the Association of Brokers who were unhappy with the fact that obtaining the certification for the Information Security Management System (SMSI) actually involved costs that could go as high as tens of thousands of Euros, which are hard to bear at a time like this. Brokers opposed the idea from the start, claiming that there was no way their transaction commissions would be enough to help them recoup the cost of obtaining the SMSI certification.
"There were some meetings with the Commissioners of the CNVM in which we showed that the standards for the SMSI certification aren"t implemented by any European intermediaries and that only two exchanges have implemented them of their own accord, without being required to", said sources who did not wish for their names to be disclosed, adding: "Obtaining a SMSI certification is expensive, such an operation takes about six months, during which time some of the staff needs to be diverted to this task, even though those employees would be needed to do the job for which they were hired in the first place. It"s not information standardization that we lack, what we lack is investors on the stock market, more trades ... we can do data standardization further down the road".
According to the Romanian National Securities Commission Instruction no. 2/2011, issued in early February, obtaining a SMSI certification would become mandatory on January 1st 2012, for brokers with an initial capital of 730,000 Euros, for asset management companies, for market/system operators, for the Investor Compensation Fund and for traders. The entities that would obtain SMSI certification were required to annually review their SMSI certificate and replace it every three years, according to the instructions of the Commission.
However, the disposition of the Romanian National Securities Commission suspends the implementation of all the provisions of the Chapter of the Instruction which concerns the mandatory nature of the SMSI certification, as well as of the article that stipulated that this obligation would apply starting with January 1st, 2012.
"I was against all the provisions of the Instruction no.2/2011 which concerned brokerages, in particular against requiring brokers to obtain SMSI certification because this certification has no connection whatsoever with the financial segment", said Dan Paul, the president of the Association of Brokers, adding: "SMSI certification concerns the security of information within a company, not the security of transactions. The Association of Brokers also continues to militate against the amendment of several provisions of the Regulation No. 5 of the Commission. At any rate, now that the requirement to get certified for the SMSI was waived, we are happy that we got rid of some expenses that brokers would have had to bear otherwise".
Among others, the Disposition no. 5 of the Romanian National Securities Commission of March 16th, also suspends the requirement, stipulated by the aforementioned instruction, for brokerages with an initial capital amounting to the equivalent of 50,000 Euros and 125,000 Euros, respectively, to audit their IT systems at least once a year.
The System for the management of Information Security (SMSI) is a management system based on an assessment of risks that an entity is exposed to, which has the right to establish, implement, operate, monitor, revise, maintain and improve the security of information, according to the CNVM Instruction no. 2/2011.