• Tue. Sep 20th, 2022

Securities Commission Releases Consultation Paper on Technology Risk Management Framework

ByChad J. Johnson

Aug 4, 2022

The Malaysian Securities Commission (“CS‘) published Public Consultation Document No. 1/2022 on August 1, 2022 to solicit public comments on its draft Regulatory framework on technological risk management(‘the framework‘).

The SC proposes to apply the Framework to the following capital market entities:

  • Bursa Malaysia Bhd and its subsidiaries;
  • Federation of Malaysian Investment Managers;
  • private pension administrator Malaysia;
  • Holders of a capital markets services license;
  • Recognized market operators;
  • Persons listed in Part 2 of Schedule 4 of the Capital Markets and Services Act 2007 (“CMSA‘); and
  • Capital market service providers registered under CMSA Section 76A.

According to the SC, the objective of the Framework is two-fold – firstto ensure that all capital market entities have a strong and robust technology risk management framework that supports strong oversight of technology risks within the capital market entity, and second, to make the capital market cyber-resilient. To achieve these goals, the framework provides a combination of principle-based and prescriptive requirements.

The framework is divided into seven main parts, each setting out requirements for specific areas within the respective parts. They are the following:

1. Governance

  • Board Responsibilities
  • Senior Management Responsibilities
  • Cybersecurity awareness and training for board, senior management, employees and officers
  • Technological Audit

2. Technology Risk Management Framework

  • Risk identification, risk assessment, risk mitigation, risk monitoring, review and reporting on existing technology and any emerging technology adopted by the capital market entity

3. Technology Operations Management

  • Technology project management
  • System acquisition and development
  • System testing and acceptance
  • Access control management
  • Change management
  • Management of patches and technological obsolescence
  • Cryptography
  • Network resilience
  • Operational resilience
  • Computer Disaster Recovery Plan

4. Management of technology service providers

  • Business Continuity and IT Disaster Recovery Plan
  • Due diligence, contract management and performance monitoring
  • Cloud services
  • Contract management

5. Cybersecurity Framework

  • Cybersecurity Framework
  • Cybersecurity measures and monitoring
  • Cyber ​​Security Incident Response and Recovery
  • Cybersecurity assessment
  • Cyber ​​simulation exercise

6. Data management

  • Governance
  • Data quality
  • Data Security and Privacy
  • Data storage
  • Data disposal
  • Submission of data to the SC

7. Compliance process

  • Independent party pre-implementation readiness assessment for major services or major enhancement of critical systems

In addition, the framework sets out four guiding principles relating to the adoption of artificial intelligence and machine learning, namely:

  • Responsibility
  • Transparency and explainability
  • Equity and non-discrimination
  • Practical precision and reliability

Once implemented, the framework will incorporate the current requirements of the SC Cyber ​​Risk Management Guidelines published in 2016, which the SC said did not cover technologies such as artificial intelligence, machine learning and distributed ledger technology that have emerged since the introduction of these guidelines. The framework will also consolidate other requirements related to technology risk management in the various guidelines issued by the SC.

Interested parties and members of the public can submit their comments, reactions and questions on the Framework to the SC by September 19, 2022.