Cybersecurity 2024 - Part 3

4. Key Affirmative Security Requirements

4.1 Personal Data

According to Article 12(1) of the DP Law, controllers are obliged to take all necessary technical and organisational measures to provide an appropriate level of security for the purposes of:

• — preventing unlawful processing of personal data;

• — preventing unlawful access to personal data; and

• — ensuring the protection of personal data.

Controllers are jointly responsible with processors for implementing these measures.

Controllers must carry out necessary internal audits to ensure the implementation of provisions of the DP Law.

Controllers and processors shall have a confidentiality agreement for an unlimited time.

For more information about the security measures that the DP Board considers as adequate, please see 3.3 Legal Requirements and Specific Required Security Practices. For data breach notification requirements, please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

4.2 Material Business Data and Material Non-public Information

There are no specific security requirements on material business data or material non-public information.

According to the TCrC, those who give or disclose to unauthorised persons information or documents constituting a commercial secret, banking secret or customer secret, which are obtained as a matter of their title or duty, occupation or profession, shall be subject to imprisonment from one year to three years and a judicial fine (corresponding to) up to 5,000 days upon complaint. Judicial fines are calculated and imposed on a daily basis, with the amount varying from TRY20 to TRY100 per day. The judge decides on the specific amount to be paid for each day depending on the economic and personal circumstances of the defendant.

According to Article 82(7) of the Turkish Commercial Code (TCC), merchants may ask the court to be issued a document if the books and documents that the merchant must keep are lost due to a disaster such as fire, flood, earthquake or theft.

According to Article 7(1) of the Electronic Ledger General Communiqué, if a force majeure event in the context of the Turkish Tax Procedure Law occurs which affects e-ledgers, e-bookkeepers are obliged to apply to the Turkish Revenue Administration within 15 days from the date of the event and demand a certificate of loss. A cyber-attack may be considered as a force majeure situation within the meaning of this Communiqué.

4.3 Critical Infrastructure, Networks, Systems and Software

Critical infrastructure sectors include the following:

• — e-communications;

• — energy;

• — water management;

• — critical public services;

• — transportation; and

• — banking and finance.

Some important security requirements for these sectors are as follows.

E-communications Sector

According to Article 37 of the By-Law on NIS in the E-Communications Sector, the report on NIS must be prepared by the operator every year until the end of March and kept for five years to be sent to ICTA upon request and/or submitted during the inspections made by ICTA. The report includes certain information, such as:

• — risk assessment and processing methods, and details of transactions made according to these methods;

• — business continuity plans; and

• — information on information security breach incidents that have occurred.

Per the By-Law, operators may not allow unlicensed software and software going against Information Security Management Systems Policy rules, and must take measures to protect information and software against harmful codes and identify security measures for downloading files or software via external networks.

Operators is also obligated to define and document rules related to the transfer of software from the development environment to the production environment.

Energy Sector

Please see the By-Law on Cybersecurity Competency Model in the Energy Sector in 1.7 Key Developments.

Banking and Finance Sector

Banks and other financial institutions under the authority of the BRSA must take the measures set forth in the ISBEBS By-Law.

Moreover, personal data specific to banking relationships are also considered as customer secrets under the Banking Law. This information cannot be disclosed or transferred to third parties that are either in Türkiye or abroad without receiving a request or explicit instruction from the customer to do so, even if the customer’s explicit consent to transfer personal data to a third party is obtained as per the DP Law. Please also see the Amendments to the Communiqué on Data Sharing in Payment Services in 1.7 Key Developments.

The following entities must keep their primary and secondary information systems in Türkiye:

• — banks;

• — payment institutions and electronic money institutions;

• — insurance and private pension companies (except for services such as email, teleconference or videoconference);

• —certain public companies, as well as certain capital markets institutions; and

• — financial lease, factoring and finance companies.

Other

In addition to these, the Minimum-Security Measures Document for Critical Information System Infrastructures, prepared by the Scientific and Technological Research Council of Türkiye, defines and categorises critical infrastructure in Türkiye. In addition, it determines the minimum-security measures required for critical infrastructure systems, including institutions and organisations operating critical infrastructures.

4.4 Denial of Service Attacks

Distributed denial of service (DDoS) is defined under Article 3(1)(g) in the By-Law on NIS in the E-Communications Sector.

This By-Law requires operators to establish mechanisms such as signal-processing control, user authentication control and access control in their IP addresses, communication ports and application protocols to protect their servers, routers and other network elements against cyber-attacks such as DoS/DDoS attacks.

4.5 Internet of Things (IoT), Software, Supply Chain, Other Data or Systems

The sectors with information security rules and the relevant legislation are as explained in 1.1 Laws, 1.2 Regulators and 4.3 Critical Infrastructure, Networks, Systems and Software. Although there are special provisions in the above-mentioned legislation, there is no general security requirement for the internet of things, software development, or other data or systems.

4.6 Ransomware/Extortion

In Türkiye, there are no specific legislative rules on reporting ransomware attacks, extortion or making ransom payments, or co-operation with law enforcement authorities, so the general data protection, cybersecurity regulations and the TCrC apply.

Please see 1.1. Laws, 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event and 5.8 Reporting Triggers.

5. Data Breach or Cybersecurity Event Reporting and Notification

5.1 Definition of Data Security Incident, Breach or Cybersecurity Event

Cybersecurity Event

A “cybersecurity event” is defined in the Communiqué on CERTs as a “breach or attempted breach of confidentiality, integrity or accessibility of industrial control or information systems or data processed by these systems”.

If an organisation is required to establish a CERT, in principle, its CERT must report any cybersecurity event to the TR-CERT and the relevant sectoral CERT (if applicable).

Conversely, an organisation which is not required to establish a CERT does not have such reporting duty (voluntary reporting is allowed).

Personal Data Breach

Unlike the GDPR, the DP Law does not include a definition of a personal data breach. Per the DP Board’s resolution on data breaches, controllers must report to the DP Board within 72 hours and notify the relevant data subjects within the shortest time possible if personal data is unlawfully acquired by third parties.

Also, unlike the GDPR, all personal data breaches must be reported to the DP Board and communicated to the affected data subjects (regardless of unlikeliness to result in a risk to the rights and freedoms of natural persons).

5.2 Data Elements Covered

Reporting a cybersecurity event covers any data processed by ICSs and information systems.

Reporting a personal data breach to the DP Board covers only personal data affected by such breach.

5.3 Systems Covered

Reporting a cybersecurity event covers ICSs and information systems.

Reporting a personal data breach covers any information system that processes personal data affected.

5.4 Security Requirements for Medical Devices

The By-Law on Turkish Medical Devices states certain requirements for cybersecurity.

Appendix 1 of the By-Law provides mandatory security requirements to be taken by medical device manufacturers.

5.5 Security Requirements for Industrial Control Systems (and SCADA)

The minimum-security requirements applying to the ICSs (and SCADA) are as follows.

• — Protecting the systems from unauthorised access:

1. management of physical access to the centre where the systems are located;

2. restricting access to the systems by computer networks; and

3. restricting portable storage platforms.

• — Management of authorised personnel’s access to the systems:

1. procedure for assigning the systems manager and operator;

2. management of authorised personnel’s user IDs and procedure of safe log-in;

3. records management and separation of duties; and

4. operating procedures, roles and responsibilities.

• — Management of systems’ procurement, development and maintenance:

1. management of application software’s safety;

2. management of technical deficits; and

3. maintenance contract;

• — Work continuity precautions:

1. back-up system centre, procedures and tests.

• — Employment of information systems security manager and personnel:

1. security manager;

2. personnel continuity; and

3. personnel training and education.

• — Documentation:

1. policy document; and

2. management of records.

• Intervention in cybersecurity events.

5.6 Security Requirements for IoT

The DTO’s Information and Communication Security Guide recommends certain security measures for the internet of things (IoT) regarding:

• — network services and communication;

• — internal data storage;

• — authentication and authorisation;

• — API and connection security; and

• — other measures.

As for the security of the personal data processed in IoT devices, please see 3.3 Legal Requirements and Specific Required Security Practices.

5.7 Requirements for Secure Software Development

There is no regulation that uniformly regulates the security software life cycle, patching and responsible disclosure of vulnerabilities, so the general data protection and cybersecurity regulations apply.

However, there are certain international standards and best practices that are followed by organisations in Türkiye:

• — ISO/IEC 27034 – this standard provides guidelines for application security, covering the entire software development life cycle, from requirements definition to deployment;

• — the Open Web Application Security Project (OWASP) – OWASP is a global non-profit organisation that provides resources and guidance for developing secure web applications;

• — the Building Security in Maturity Model (BSIMM) – the BSIMM is a set of best practices for software security that helps organisations understand how to build and maintain a software security programme; and

• — the National Institute of Standards and Technology (NIST) – NIST provides a framework for improving cybersecurity and managing cybersecurity risk.

Sector-specific requirements, if any, must also be considered.

5.8 Reporting Triggers

Cybersecurity Event

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event. 

Personal Data Breach

Please see 5.1 Definition of Data Security Incident, Breach or Cybersecurity Event.

Electronic Communication

In the telecommunications sector, according to the By-Law on NIS in the E-Communication Sector, the operator must notify ICTA regarding network and information security breaches that affect more than 5% of its subscribers and the circumstances that interrupt the continuity of the business. The notification must include, as a minimum, the time, nature, impact and duration of the breach, as well as the measures taken.

Banking and Finance

In the banking sector, pursuant to Article 18 of the ISBEBS By-Law, banks must report cyber-events to the BRSA.

Public Companies

A cyber-attack affecting a public company must be disclosed to the public as per the Communiqué on Material Events Disclosure. 

5.9 “Risk of Harm” Thresholds or Standards

There is no “risk of harm” threshold for reporting cybersecurity events or data breaches.