SC issues guidelines to enhance cyber resilience of capital market

KUALA LUMPUR: Securities Commission Malaysia (SC) yesterday issued guidelines to enhance cyber resilience of the capital market by requiring capital market entities to establish and implement effective governance measures to counter cyber risk and protect investors.
The Guidelines on Management of Cyber Risk clearly stipulate, among others, the roles and responsibilities of the board and senior management in building cyber resilience of a capital market entity. The guidelines mandate the entity to identify a responsible person to be accountable for the effective management of cyber risk.
These measures aim to ensure that cyber risk is managed in an optimised manner, in light of the changing landscape in the market. 
“Against a backdrop of increased adoption of technology in capital market activities, operations of market intermediaries, market infrastructure and market-based financing platforms, it is imperative to ensure vigilant management of cyber risk. This will minimise disruption to the capital market, protect investors’ confidential data and preserve market confidence,” said SC executive director and general counsel Foo Lee Mei in a statement.
The guidelines require regulated entities to have in place a risk management framework to minimise cyber threats, implement adequate measures to identify potential vulnerabilities in their operating environment and ensure timely response and recovery in the event of a cyber-breach. In this regard, regulated entities are required to implement adequate physical and systems security arrangements.
The involvement of the board and senior management is important to ensure that the capital market entity puts adequate focus on cyber risk issues, determines risk tolerance and priorities, and allocates sufficient resources to cyber risk. As such, these guidelines require the entity to outline the roles and responsibilities of the board, responsible person and key personnel in critical functions with a role in managing cyber risk. 
Under the guidelines, capital market entities are required to share information on cyber breaches and potential cyber threats, and report cyber incidents to the SC. This engagement will enhance industry’s awareness on, and preparedness in dealing with, cyber risk. It will also provide a platform for SC to collaborate with market entities and stakeholders to enhance cyber resilience on an ongoing basis.
These guidelines will be implemented in phases. Entities will be selected for the different phases based on, among others, size, nature of activities and market share.