The Securities Commission Malaysia (‘SC’) issued Public Consultation Paper No. 1/2022 on 1 August 2022 to seek public feedback on its proposed Regulatory Framework on Technology Risk Management(‘the Framework’).

The SC proposes to apply the Framework to the following capital market entities:

  • Bursa Malaysia Bhd and its subsidiaries;
  • Federation of Investment Managers Malaysia;
  • Private Pension Administrator Malaysia;
  • Capital Markets Services Licence holders;
  • Recognized market operators;
  • Registered persons in Part 2 of Schedule 4 Capital Markets and Services Act 2007 (‘CMSA’); and
  • Capital market service providers registered under section 76A of the CMSA.

According to the SC, the objective of the Framework is two-pronged – first, for all capital market entities to have a robust and sound technology risk management framework that promotes strong oversight of technology risks in the capital market entity, and second, for the capital market to be cyber resilient. To achieve these objectives, the Framework provides a combination of principle-based and prescriptive requirements.

The Framework is divided into seven main parts, each of which sets out the requirements in respect of specific areas within the respective parts. They are as follows:

1. Governance

  • Responsibilities of the board of directors
  • Responsibilities of senior management
  • Cybersecurity Awareness and Training for board, senior management, employees and agents
  • Technology audit

2. Technology Risk Management Framework

  • Risk identification, risk assessment, risk mitigation, risk monitoring, review and reporting on the existing and any emerging technology adopted by the capital market entity

3. Technology Operations Management

  • Technology Project Management
  • System Acquisition and Development
  • System Testing and Acceptance
  • Access Control Management
  • Change Management
  • Patch Management and Technology Obsolescence
  • Cryptography
  • Network Resilience
  • Operational Resilience
  • IT Disaster Recovery Plan

4. Technology Service Provider Management

  • Business Continuity and IT Disaster Recovery Plan
  • Due Diligence, Contract Management and Performance Monitoring
  • Cloud Services
  • Contract Management

5. Cyber Security Framework

  • Cyber Security Framework
  • Cyber Security Measures and Monitoring
  • Cyber Security Incident Response and Recovery
  • Cyber Security Assessment
  • Cyber Simulation Exercise

6. Management of Data

  • Governance
  • Data Quality
  • Data Security and Privacy
  • Data Storage
  • Data Disposal
  • Submission of Data to the SC

7. Compliance Process

  • Pre-implementation readiness assessment by independent party for major services or major enhancement of critical systems

In addition, the Framework sets out four guiding principles in relation to the adoption of artificial intelligence and machine learning, namely:

  • Accountability
  • Transparency and Explainability
  • Fairness and Non-Discrimination
  • Practical Accuracy and Reliability

When implemented, the Framework will subsume the current requirements in the SC’s Guidelines on the Management of Cyber Risk issued in 2016, which the SC acknowledges did not cover technologies such as artificial intelligence, machine learning and distributed ledger technology that have emerged since the introduction of those guidelines. The Framework will also consolidate other requirements relating to technology risks management in the various guidelines issued by the SC.

Interested parties and members of the public may submit their comments, feedback and queries on the Framework to the SC by 19 September 2022.