Geo Focus: Asia , Geo-Specific , Governance & Risk Management

Malaysia Amps Up Cyber Risk Guidelines for Capital Markets

New Guidelines Focus on Board Accountability, Risk Management, Resilience
Malaysia Amps Up Cyber Risk Guidelines for Capital Markets
Bursa Malaysia - the Malaysian stock exchange - building in Bukit Kewangan, Kuala Lumpur, Malaysia (Image: Shutterstock)

Malaysia's Securities Commission on Tuesday released new cybersecurity guidelines calling for stronger oversight and management of technology risks by investment and capital markets firms. The commission expects the new guidelines to go into effect in Q3 2024.

See Also: OnDemand | How To Meet Your Zero Trust Goals Through Advanced Endpoint Strategies

The securities' market regulatory agency said the guidelines incorporate feedback received from the public on the proposed Regulatory Framework on Technology Risk Management published last year and are applicable to all capital market entities licensed, registered or authorized by the commission.

"Among the requirements set out in the guidelines include the establishment and implementation of an effective technology risk framework, technology project management, technology service provider management and cyber security management," the regulator said.

Malaysia's financial sector has benefited from economic development, with an overall capital market valuation of $800 billion at the end of December 2022 and about $380 billion in equities and $420 billion in bonds and other investments. Bursa Malaysia, the country's stock exchange, has 983 listed entities and a market cap of $397 billion.

The Securities Commission said the new guidelines will replace the 2016 guidelines on management of cyber risk to ensure strong oversight and management of technology risks and make the entities cyber resilient.

Boards Responsible for Cyber Risk

The guidelines say that the senior management of licensed entities is responsible for implementing technology risk management and cyber risk management frameworks. They call for capital market entities to appoint people within the senior management to implement cyber strategies and secure technologies.

The regulator also requires board members to review and update the risk management framework annually, allocate resources to ensure cyber resilience, conduct technology risk assessments before implementing new solutions, keep themselves up to date with new or emerging trends of technology risk including cyberthreats, and understand the potential impact of those threats.

Senior management also will keep the board updated about cybersecurity issues, risk and compliance issues and new and potentially emerging technology risk, and get the board to sign off on remedial measures.

Focus on Risk Audits and Awareness Programs

Once the new guidelines take effect, Malaysian capital market entities will need to conduct cybersecurity awareness training programs, conduct technology audits to measure the effectiveness of risk management, governance and internal controls, and conduct a post-implementation review on all critical technology and technology-related projects.

Capital markets firms will be mandated to maintain board-approved technology risk registers to facilitate the monitoring and reporting of technology risk and implement measures to prevent losses arising out of data breaches or cyberattacks.

The Securities Commission said its data privacy and security guidelines also require annual analysis of data and information assets, processes and controls, log management, access management and data loss prevention strategies.

The commission said capital market entities' cybersecurity frameworks also should comprise cybersecurity controls to address interoperability, usability and privacy of business data and the necessary controls for identification, protection and prevention, detection, response and recovery measures.

"A capital market entity shall deploy defence-in-depth and preventive cybersecurity measures which are commensurate with its business model, risk appetite and level of technology dependency," the guidelines say. These measures include the deployment of antivirus and anti-malware software, web and email filtering systems, firewalls and solutions to counter advanced persistent threats.

New Rules to Govern AI and ML Systems Development

The Securities Commission in its guidelines also emphasized that capital market entities must emphasize accountability, transparency, fairness and nondiscrimination, and practice accuracy and reliability when adopting AI and machine-learning systems.

Capital market entities must adopt robust governance frameworks and processes for AI development and use, along with risk management processes, well-defined roles, and a capable workforce to manage AI and ML systems.

"A capital market entity should design its AI and ML systems in a way that respects the rule of law, human rights, democratic values and diversity, and should include appropriate safeguards to ensure that users or groups of users are not systematically disadvantaged or discriminated," the guidelines read. "It should ensure that data and models used for AI- and ML-driven decisions are regularly reviewed and validated to guard against the use of biased data or algorithms."

About the Author

Jayant Chakravarti

Jayant Chakravarti

Senior Editor, APAC

Chakravarti covers cybersecurity developments in the Asia-Pacific region. He has been writing about technology since 2014, including for Ziff Davis.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.