Geo Focus: Asia , Geo-Specific , Governance & Risk Management
Malaysia Amps Up Cyber Risk Guidelines for Capital Markets
New Guidelines Focus on Board Accountability, Risk Management, ResilienceMalaysia's Securities Commission on Tuesday released new cybersecurity guidelines calling for stronger oversight and management of technology risks by investment and capital markets firms. The commission expects the new guidelines to go into effect in Q3 2024.
See Also: 2024 State Of Identity Security in Financial Services
The securities' market regulatory agency said the guidelines incorporate feedback received from the public on the proposed Regulatory Framework on Technology Risk Management published last year and are applicable to all capital market entities licensed, registered or authorized by the commission.
"Among the requirements set out in the guidelines include the establishment and implementation of an effective technology risk framework, technology project management, technology service provider management and cyber security management," the regulator said.
Malaysia's financial sector has benefited from economic development, with an overall capital market valuation of $800 billion at the end of December 2022 and about $380 billion in equities and $420 billion in bonds and other investments. Bursa Malaysia, the country's stock exchange, has 983 listed entities and a market cap of $397 billion.
The Securities Commission said the new guidelines will replace the 2016 guidelines on management of cyber risk to ensure strong oversight and management of technology risks and make the entities cyber resilient.
Boards Responsible for Cyber Risk
The guidelines say that the senior management of licensed entities is responsible for implementing technology risk management and cyber risk management frameworks. They call for capital market entities to appoint people within the senior management to implement cyber strategies and secure technologies.
The regulator also requires board members to review and update the risk management framework annually, allocate resources to ensure cyber resilience, conduct technology risk assessments before implementing new solutions, keep themselves up to date with new or emerging trends of technology risk including cyberthreats, and understand the potential impact of those threats.
Senior management also will keep the board updated about cybersecurity issues, risk and compliance issues and new and potentially emerging technology risk, and get the board to sign off on remedial measures.
Focus on Risk Audits and Awareness Programs
Once the new guidelines take effect, Malaysian capital market entities will need to conduct cybersecurity awareness training programs, conduct technology audits to measure the effectiveness of risk management, governance and internal controls, and conduct a post-implementation review on all critical technology and technology-related projects.
Capital markets firms will be mandated to maintain board-approved technology risk registers to facilitate the monitoring and reporting of technology risk and implement measures to prevent losses arising out of data breaches or cyberattacks.
The Securities Commission said its data privacy and security guidelines also require annual analysis of data and information assets, processes and controls, log management, access management and data loss prevention strategies.
The commission said capital market entities' cybersecurity frameworks also should comprise cybersecurity controls to address interoperability, usability and privacy of business data and the necessary controls for identification, protection and prevention, detection, response and recovery measures.
"A capital market entity shall deploy defence-in-depth and preventive cybersecurity measures which are commensurate with its business model, risk appetite and level of technology dependency," the guidelines say. These measures include the deployment of antivirus and anti-malware software, web and email filtering systems, firewalls and solutions to counter advanced persistent threats.
New Rules to Govern AI and ML Systems Development
The Securities Commission in its guidelines also emphasized that capital market entities must emphasize accountability, transparency, fairness and nondiscrimination, and practice accuracy and reliability when adopting AI and machine-learning systems.
Capital market entities must adopt robust governance frameworks and processes for AI development and use, along with risk management processes, well-defined roles, and a capable workforce to manage AI and ML systems.
"A capital market entity should design its AI and ML systems in a way that respects the rule of law, human rights, democratic values and diversity, and should include appropriate safeguards to ensure that users or groups of users are not systematically disadvantaged or discriminated," the guidelines read. "It should ensure that data and models used for AI- and ML-driven decisions are regularly reviewed and validated to guard against the use of biased data or algorithms."