The Securities Commission Malaysia (SC) has recently issued comprehensive guidelines on technology risk management, set to take effect in August 2024. These guidelines are part of the SC's ongoing efforts to bolster the resilience and security of the capital market, aligning with the Capital Market Masterplan 3. The new directives represent a significant evolution from the SC's 2016 Cyber Risk Guidelines, introducing robust requirements for governance, technology risk management, technology operations, outsourcing, cybersecurity and data management.

Here’s What You Need to Know About the New Guidelines:

Technology Risk Management Framework

• Governance Requirements: The board of directors must approve a technology risk management (TRM) framework and appoint senior management to oversee its implementation via adequate internal controls and competent resources assigned.
• Technology Risk Management: Entities are required to establish and periodically review and update their TRM Framework at least once every three years. A risk register has to be maintained to facilitate monitoring and reporting of technology risk.

Technology Operations Management

• Project Management: Ensure that all technology projects are completed with clarity, alignment, traceability and with effective resource utilisation.
• Systems Acquisition and Development, System Testing and Acceptance, and Access Control Management: Establish and implement internal processes to cover these areas.
• Cryptography: Implementation of effective cryptographic measures to protect sensitive data. 
• Data Security and Privacy: Implementation of effective measures to prevent losses from data breach, internal and external threats, negligence and cyber attacks.
• Data Storage: Ensure that data and IT Systems are stored or hosted in a secure, robust and resilient environment, including cloud storage.
• Data Disposal: Ensure that data on devices and storage media are disposed appropriately to safeguard it from unauthorised disclosure.
• Change Management: Implement a change management process to oversee changes made to its IT systems. 
• Patch and Technology Obsolescence: Monitor and implement latest patches on a timely basis and monitor end-of-service dates of hardware and software.
• Network Resilience: Design a sound network architecture to support current and future growth to achieve high network availability, redundancy, accessibility and resiliency.
• Operational Resilience: Data centre operations, including use of cloud services must be operationally resilient and meet availability targets.
• IT Disaster Recovery Plan (“IT DRP”): Establish and test the IT DRP regularly to manage availability and restore it within recovery objectives.

  Technology Operations Management

• Project Management: Ensure that all technology projects are completed with clarity, alignment, traceability and with effective resource utilisation.
• Systems Acquisition and Development, System Testing and Acceptance, and Access Control Management: Establish and implement internal processes to cover these areas.
• Cryptography: Implementation of effective cryptographic measures to protect sensitive data. 
• Data Security and Privacy: Implementation of effective measures to prevent losses from data breach, internal and external threats, negligence and cyber attacks.
• Data Storage: Ensure that data and IT Systems are stored or hosted in a secure, robust and resilient environment, including cloud storage.
• Data Disposal: Ensure that data on devices and storage media are disposed appropriately to safeguard it from unauthorised disclosure.
• Change Management: Implement a change management process to oversee changes made to its IT systems. 
• Patch and Technology Obsolescence: Monitor and implement latest patches on a timely basis and monitor end-of-service dates of hardware and software.
• Network Resilience: Design a sound network architecture to support current and future growth to achieve high network availability, redundancy, accessibility and resiliency.
• Operational Resilience: Data centre operations, including use of cloud services must be operationally resilient and meet availability targets.
• IT Disaster Recovery Plan (“IT DRP”): Establish and test the IT DRP regularly to manage availability and restore it within recovery objectives.

Technology Service Provider Management

• Vendor Due Diligence: Undertake rigorous evaluation of third-party service providers to ensure that they meet the entity’s requirements.
• Ongoing Monitoring: Conduct regular reviews and audits of service providers to ensure that they are capable in managing risks and comply with the TRM Guidelines.
• Cloud Services: Ensure that the cloud service provider implements proper governance and controls in cloud strategy and cloud operational management.
• Contract Management: Service level agreements must be established to include the necessary provisions to manage risk.

Cybersecurity Management

• Cyber Security Framework: Establish a cybersecurity framework via the implementation of adequate cybersecurity controls and policies and procedures.
• Cyber Security Measures and Monitoring: Deploy in-depth defence and preventive cyber-security measures and implement continuous surveillance.
• Cyber Security Incident Response and Recovery: Establish cyber incident response capability to manage and minimise damage from cyber incidents and to recover from them.
• Cyber Security Assessment: Conduct regular assessments to identify potential vulnerabilities and cyber threats, and implement controls to mitigate them.
• Cyber Simulation Exercise: Implement cyber simulation exercise involving key stakeholders to assess the effectiveness of its cyber incident response and recovery.

Who Will Be Affected?

The guidelines are applicable to all capital market entities licensed, registered, approved, recognized, or authorized by the SC. Entities are expected to submit a declaration of compliance to the Securities Commission on the Guidelines on Technology Risk Management (GTRM) by the first quarter of 2025.

Management (GTRM) by the first quarter of 2025.

Next Actions for Capital Market Entities

As capital market entities navigate these new requirements, the task of ensuring compliance can be overwhelming. Engaging with a specialized cybersecurity expert can provide valuable support and guidance during this transition period. Here are several ways our firm can assist:

Framework Development

• Customized TRM Frameworks: Developing tailored TRM frameworks that meet the specific needs and risk profiles of individual entities.
• Policy and Procedure Design: Crafting comprehensive policies and procedures to align with the SC’s guidelines.

Audit and Assessment Services

• Gap Assessments: Conducting gap assessments to identify potential vulnerabilities and areas for improvement.
• Audit Support: Assisting in the establishment and execution of technology audit plans.

Training and Awareness Programs

• Staff Training: Providing training sessions to ensure that all employees are aware of and understand their roles in managing technology risks.
• Board and Management Briefings: Offering specialized briefings for board members and senior management on their responsibilities under the new guidelines.

Conclusion

The SC's new technology risk management guidelines mark a significant step forward in enhancing the cybersecurity and overall resilience of Malaysia's capital market. By working with a dedicated cybersecurity partner, entities can not only ensure compliance with these guidelines but also build a more secure and robust technological infrastructure. As the regulatory landscape evolves, proactive engagement and rigorous adherence to these new standards will be crucial for maintaining trust and integrity in the capital market.