Securities Commission Malaysia (SC) today issued new guidelines to enhance cyber resilience of the capital market by requiring capital market entities to establish and implement effective governance measures to counter cyber risk and protect investors.
The Guidelines on Management of Cyber Risk (Guidelines) clearly stipulate, among others, the roles and responsibilities of the board and senior management in building cyber resilience of a capital market entity. The guidelines have also mandated the entity to identify a responsible person to be accountable for the effective management of cyber risk.
These measures aim to ensure that cyber risk is managed in an optimised manner, in light of the changing landscape in the market.
“Against a backdrop of increased adoption of technology in capital market activities, operations of market intermediaries, market infrastructure and market-based financing platforms, it is imperative to ensure vigilant management of cyber risk. This will minimise disruption to the capital market, protect investors’ confidential data and preserve market confidence,” said Foo Lee Mei, Executive Director and General Counsel, Securities Commission Malaysia.
These Guidelines require regulated entities to have in place a risk management framework to minimise cyber threats, implement adequate measures to identify potential vulnerabilities in their operating environment and ensure timely response and recovery in the event of a cyber-breach. In this regard, regulated entities are required to implement adequate physical and systems security arrangements.
The involvement of the board and senior management is important to ensure that the capital market entity puts adequate focus on cyber risk issues, determines risk tolerance and priorities, and allocates sufficient resources to cyber risk. As such, these Guidelines require the entity to outline the roles and responsibilities of the board, responsible person and key personnel in critical functions with a role in managing cyber risk.
In order to enable SC to engage effectively with capital market entities and to share information on cyber breaches and potential cyber threats, regulated entities are required to report cyber incidents to the SC. This engagement will enhance industry’s awareness on, and preparedness in dealing with, cyber risk. It will also provide a platform for SC to collaborate with market entities and stakeholders to enhance cyber resilience on an ongoing basis.
These Guidelines will be implemented in phases. Entities will be selected for the different phases based on, among others, size, nature of activities and market share.
The Guidelines on Management of Cyber Risk is available here/www.sc.com.my. The Guidelines take effect on 31 October 2016.