Almost a year since it sought feedback on its proposed guidelines on technology risk management, the Securities Commission Malaysia (SC) has issued the guidelines which are expected to come into force by the third quarter of 2024.
Among the requirements set out in the guidelines include the establishment and implementation of an effective technology risk framework, technology project management, technology service provider management and cyber security management by capital market entities.
Essentially, the framework covers governance requirements and requirements on technology risks management, technology operations, technology outsourcing, cyber security and data management as well as principles relating to the adoption of artificial intelligence and machine learning.
Applicable to all capital market entities licensed, registered, approved, recognized or authorized by the SC, the guidelines, in line with the regulator’s Capital Market Masterplan 3, will subsume the current requirements in the SC’s 2016 cyber risk guidelines, consolidate other requirements relating to technology risks management in the various guidelines issued by the SC as well as introduce new requirements.
“The SC expects all capital market entities to continue complying with existing guidelines including the Guidelines on Management of Cyber Risk during the familiarization period of the guidelines, while working toward putting in place effective controls, policies and procedures to ensure compliance with the guidelines by the effective date,” the regulator said.
The new framework dictates that the board of directors of any licensed company will have to approve a technology risk management framework (TRM framework) as well as appointing at least one person from senior management to oversee day-to-day management of technology risk as well as the implementation of a technology and cyber security strategy.
The entity will also need to establish a technology audit plan and review as well as update its TRM framework periodically, at least once every three years.
Among other requirements include the need to implement suitable and effective cryptographic controls to safeguard the confidentiality and integrity of sensitive data. This framework follows the release of a policy document on risk management in technology by Bank Negara Malaysia in June.