The Securities Commission (SC) of Malaysia released on Monday new guidelines for capital market participants concerning cyber resilience and required regulated entities to establish effective governance measures to counter cyber risk and protect investors. Regulated financial entities are now required to report any cyber incidents to the authority body.
The move will enable the SC to share with concerned entities information on potential cyber threats and to enhance cyber resilience on an ongoing basis.
As part of the guidelines, the regulator requires capital market participants to implement adequate physical and systems security arrangements. For one thing, entities need to implement a risk management framework to minimize cyber threats, to ensure adequate measures to identify potential vulnerabilities in their operating environment and guarantee timely response and recovery in the event of a cyber breach. In addition, they have to identify a responsible person to be accountable for the effective management of cyber risk within the company and to outline the roles and responsibilities of the board and key personnel in managing cyber risk.
The guidelines, which are more like requirements rather than a piece of advice, take effect on 31 October 2016. They will be implemented in phases and for each phased different entities will be selected, based on size, nature of activities and market share, among others.
“Against a backdrop of increased adoption of technology in capital market activities, operations of market intermediaries, market infrastructure and market-based financing platforms, it is imperative to ensure vigilant management of cyber risk,” said Foo Lee Mei, executive director and general counsel at the SC. “This will minimize disruption to the capital market, protect investors’ confidential data and preserve market confidence,” she added.
The SC’s guidelines set forth the importance an entity’s management plays in building cyber resilience. Management is responsible for establishing within the company, for putting adequate focus on cyber risk issues, determining risk tolerance and priorities, and allocating sufficient resources to cyber risk.
The SC is in charge of the securities and derivatives markets in Malaysia. It was set up in 1993 as a self-funding statutory body with investigative and enforcement powers. The commission reports directly to the Malaysian Minister of Finance. Its regulatory functions include, among others, regulation of all matters relating to securities and derivatives contracts; licensing and supervision of exchanges, clearing houses and central depositories; as well as encouraging self-regulation.