Compliance with the Capital Markets Board of Türkiye (SPK) Log Regulations: The Real Dangers of Apparent Compliance

Introduction

The Capital Markets Board (CMB), as the regulatory and supervisory authority of Turkey’s capital markets, issues various regulations to ensure that the market operates transparently, fairly, and stably. One of these regulations is the obligation for institutions to store financial transaction logs for at least five years. This article will address the importance of complying with these regulations and the risks that may arise when institutions appear to comply or when assessments are made in the lightest manner.

Audit Processes and Needs

The CMB decree states that logs must be stored for 5 years, but it does not specify whether this should be done live or in archives. In the last two years, CMB audits have been conducted by asking questions related to logs as follows. This set of questions is a subset selected from the audit questions of one of Turkey’s largest and most well-known brands using the SureLog SIEM product.

1. Unauthorized access attempts to authorization servers (Active Directory, LDAP) in the last year.
2. Unauthorized access attempts to critical network devices in the last year.
3. SSL VPN successful and unsuccessful logon records in the last year.
4. Database successful and unsuccessful logon records in the last year.
5. Work done on the periodic review of permissions in the last year.
6. User identification, authorization logs for the audit year related to applications within the scope in the last year.
7. Deployment logs for the audit year related to applications within the scope in the last year.
8. Customer transaction logs for the audit year related to applications within the scope (control of audit traces related to transactions made by customers) in the last year.
9. Successful, unsuccessful logon records, authorization, and log operations records related to the SIEM application in the last year.
10. File Server successful and unsuccessful access logs in the last year.
11. Firewall reports (reports on access from the internal network to the external network at unusual hours and durations) in the last year.
12. Mail tracking logs in the last year.
13. Logs of granting permissions to accounts in the last year.
14. Logs of changing permissions of accounts in the last year.
15. Logs of creating new accounts in the last year.
16. Logs of deleting accounts in the last year.
17. Prevention of database admin users from interfering with their own logs (transferred to SIEM) in the last year.
18. Alert list and sample alerts in log management (resource interruption, unauthorized access attempts, abnormal situation alarms) in the last year.
19. Users (admins, etc.) who have access to the application or log screens and activity logs in the last year.
20. Control of whether audit traces of queries made for logs are kept in the last year.
21. The list of all current users on applications within the scope (including passive/deleted users, administrator/system/consultant accounts covering the audit period) in the last year. User’s name-surname — User ID (username, registration number, etc.) — Creation/removal date — Last login date — User Creator.
22. All successful/unsuccessful access attempts after the passive date of the users listed above in the last 5 years.
23. The list of critical tables in the last year and evidence that audit traces (logs) of direct interventions to these tables are recorded and these audit traces are periodically reviewed.

Importance of Compliance with Capital Markets Board of Türkiye (SPK) Log Regulations

The CMB’s log storage regulation is of critical importance for ensuring the auditability and transparency of capital market transactions. This obligation is of great importance for the protection of investors, the prevention of market fraud, and the effectiveness of audit processes. Institutions comply with these regulations, fulfilling their legal obligations while maintaining their reliability and reputation in the market. Institutions cannot openly declare that they do not comply with or fulfill these rules. However, for various reasons, some institutions seek ways to fulfill these obligations by taking log-related requirements less seriously and using a lower-level request list.

For example, it is practically impossible to meet the audit queries listed above with logs stored in archives for at least 1 year and 5 years for item 22 without keeping them live. The impossibility of this is due to the time required to reopen the archive logs for audit or incident response (with methods like unzip, etc.) and then reindex them, as well as the additional disk space required.

One way to soften such strict audits is to look for ways to make the questions less serious and harsh. For instance, narrowing the query area from ‘Firewall reports for the last year (reports on access from the internal network to the external network at unusual hours and durations)’ to ‘Firewall reports for 3–10 January 2023 (reports on access from the internal network to the external network at unusual hours and durations)’ can make it possible to answer even from archives, or using screenshots to pass the audit. It is well known that there are many similar methods.

SureLog SIEM offers a significant advantage in this regard. SureLog SIEM can comfortably store logs for 1 year live with a 2 TB disk for up to 3000 EPS.

Misinterpretation of Live and Archived Logs in Audits

In CMB audits, the phrase “logs must be kept for 5 years” does not specify whether they should be kept live or in archives, leading to confusion or underestimation of the seriousness and criticality of the matter. Therefore, in practice, as in the example of the 23 questions listed above, quick access to these logs is required. Archive access does not provide this capability.

Risks Faced by Institutions and IT Managers

Institutions and IT managers face serious legal and financial risks if they do not comply with CMB regulations. Especially, if log records are not properly stored, deficiencies can emerge during audits, leading to high fines, reputation loss, and even cancellation of licenses.

Consequences of Non-Compliance

Non-compliance with CMB regulations not only leads to legal sanctions but also undermines investor confidence and jeopardizes the healthy functioning of the market. Therefore, it is crucial for institutions and IT managers to comply meticulously with these regulations, make the necessary arrangements, and be prepared for audits regularly.

Conclusion

In conclusion, compliance with CMB log regulations is vital for the healthy functioning of capital markets and the protection of investors. Institutions and IT managers should comply with these regulations to fulfill their legal obligations and strengthen their position as reliable actors in the market. Compliance with CMB regulations is not just a legal requirement but also a tool to maintain the reputation and reliability of institutions in the market.