Securities Commission Malaysia Issues New Guidelines on Technology Risk Management

In August 2023, the Securities Commission Malaysia ("SC") issued the Guidelines on Technology Risk Management ("TRM Guidelines") to enhance the management of technology risks by capital market entities ("CMEs"), in response to the growing adoption of technology among CMEs in recent years.

The TRM Guidelines are applicable to all CMEs licensed or registered under the Capital Market Services Act 2007. The guidelines are expected to come into effect by the third quarter of 2024, subject to further announcements from SC on the effective date of the TRM Guidelines.

Once the TRM Guidelines take effect, it will supersede existing requirements under SC's Guidelines on Management of Cyber Risk.

The TRM Guidelines introduce more detailed and enhanced requirements, including the requirements for CMEs to:

1. ensure that their workforce undergoes annual cybersecurity awareness training;
2. establish a technology audit plan and a comprehensive Technology Risk Management Framework that addresses specific areas identified in the TRM Guidelines;
3. comply with the minimum requirements outlined in the TRM Guidelines about technology operations management, which encompass elements such as network and operational resilience, system security requirements, change management and patch management;
4. conduct due diligence before selecting third-party service providers, and ensure that the Service Level Agreements executed with these providers contain the mandatory provisions outlined in the TRM Guidelines;
5. implement a comprehensive cybersecurity framework with cybersecurity controls that align with their risk profile and business needs;
6. notify SC upon detecting either (i) technology incidents that may potentially affect their business operations or clients; or (ii) cyber incidents that fall within the parameters defined in the TRM Guidelines, on the day of the occurrence of the incident through SC's Vault Portal; and
7. be guided by the guiding principles relating to the adoption of artificial intelligence (AI) and machine learning prescribed by the TRM Guidelines when adopting such technologies.

CMEs are encouraged to proactively establish the necessary controls, policies and procedures to comply with the TRM Guidelines, pending the effective date or coming into legal effect of the TRM Guidelines.