Reporting ICT incidents
Due to financial institutions' increasing reliance on information systems, the AFM observes a sharp upturn in information security-related risks. Information security incidents are defined as events that actually or potentially compromise the confidentiality, integrity, or availability of an information system or the information the system processes, stores or transmits.
The AFM requests companies to immediately report any such incidents. Financial institutions that are subject to DORA are required to report all serious ICT incidents to the supervisory authority.
Reporting process
The current AFM reporting process for ICT incidents is outlined below. This page will be updated as soon as it becomes clear how ICT incidents have to be disclosed based on DORA.
You may forward any incident notification to the AFM via the following email address: meldingenformulier@afm.nl. Please make use of Cryptshare to exchange data securely.
Please always mention the following in your notification:
- A description of the personal data breach.
- The date on which the incident occurred.
- The date the incident was detected.
- If applicable: the number of customers of your company affected by the incident.
- If applicable: the estimated extent of the damage.
- The actions your company is taking/has taken to manage the incident.
- The measures your company is taking to prevent future similar incidents.
Irrespective of whether your company conducts or commissions an investigation into the incident, and whether the investigation has been concluded or not, your company still needs to report the incident to the AFM without delay. We would also like to receive the outcome of the investigation as a supplementary notification. We also advise you to always report the incident when in doubt.
If the incident should lead to major prudential consequences for your company, you must also report the incident to De Nederlandsche Bank (the Dutch Central Bank - DNB). You can do so by email at: infobetaalinstelling@dnb.nl.
The statutory obligation: what do we expect of you?
Incident notifications to the AFM are mandatory. We use these notifications in our supervision of individual companies and to timely identify risks in the sector, in order to determine the course of our risk-based supervision. Notifications contribute to fair and transparent financial markets.
The statutory obligation requires that:
1) Your company has formulated policies on the handling and recording of incidents.
2) Your company takes appropriate measures in case of any incidents in order to control the risks involved and to prevent future incidents.
3) Your company keeps a register of incidents.
4) You report without delay to the AFM all incidents that pose a serious threat to controlled and sound business operations.
We expect that you report without delay to us all incidents that pose a serious threat to controlled and sound business operations.
Further information
More information on incidents and the obligation to report incidents is available on our website. If your question is not listed there, please contact the Business Desk.
Examples of incidents and notifications
Information security incidents have to be reported if these incidents pose a serious threat to the sound and controlled business operations of your company. Some examples of information security incidents include:
- Theft or loss of ICT tools containing the company’s confidential data.
- Unauthorised access to the company’s ICT infrastructure, possibly resulting in unauthorised transactions.
- The installation of malware on the company’s systems.
- A data breach, involving confidential information ending up in the public domain.
- DDoS attacks or the threat thereof.