menu close EventsNewsContact Us search close
Global Site close
  • Americas
  • Asia Pacific
  • Europe
  • Middle East and Africa
ArgentinaArubaBahamasBarbadosBoliviaBrazilCanadaCayman IslandsChileColombiaCosta RicaCuracaoDominican RepublicEcuadorEl SalvadorGuatemalaHondurasMexicoPanamaParaguayPeruPuerto RicoSaint MartinSurinameUnited StatesUruguayVenezuela
AfghanistanAustraliaCambodiaChinaHawaiiHong KongIndiaIndonesiaJapanMacauMalaysiaMaldivesMongoliaMyanmarNepalNew ZealandPakistanPhilippinesSingaporeSouth KoreaSri LankaTaiwanThailandVietnam
AlbaniaAndorraArmeniaAustriaAzerbaijanBelgiumBulgariaCroatiaCyprusCzech RepublicDenmarkEstoniaFinlandFranceGeorgiaGermanyGreeceHungaryIrelandItalyKazakhstanLatviaLiechtensteinLithuaniaLuxembourgMaltaMoldovaNetherlandsNorwayPolandPortugalRomaniaSerbiaSlovakiaSloveniaSpainSwedenSwitzerlandTajikistanTurkeyUkraineUnited KingdomUzbekistan
AlgeriaAngolaBahrainCôte d’IvoireEgyptGhanaIraqJordanKenyaKuwaitLebanonLiberiaMaliMauritiusMoroccoMozambiqueNigeriaOmanQatarSaudi ArabiaSenegalSierra LeoneSouth AfricaTanzaniaTogoTunisiaUgandaUnited Arab EmiratesYemenZimbabwe
Services
close Services
Tax
Services
Industries
close Industries
Industries
Insights
close Insights
Insights
About Us
close About Us
About Us
Careers
close Careers
Careers
EventsNewsContact Us
search close
home Insights
Board of directors reviewing Technology Risk Management (TRM) framework and cybersecurity policies for compliance with new guidelines

Navigating the New Technology Risk Management (TRM) Guidelines

Ensuring Cybersecurity Compliance for Capital Market Entities

Amos Law
05/06/2024
Board of directors reviewing Technology Risk Management (TRM) framework and cybersecurity policies for compliance with new guidelines
The Securities Commission Malaysia (SC) has recently issued comprehensive guidelines on technology risk management, set to take effect in August 2024. These guidelines are part of the SC's ongoing efforts to bolster the resilience and security of the capital market, aligning with the Capital Market Masterplan 3. The new directives represent a significant evolution from the SC's 2016 Cyber Risk Guidelines, introducing robust requirements for governance, technology risk management, technology operations, outsourcing, cybersecurity and data management.

Here’s What You Need to Know About the New Guidelines:

Technology Risk Management Framework
  • Governance Requirements: The board of directors must approve a technology risk management (TRM) framework and appoint senior management to oversee its implementation via adequate internal controls and competent resources assigned.
  • Technology Risk Management: Entities are required to establish and periodically review and update their TRM Framework at least once every three years. A risk register has to be maintained to facilitate monitoring and reporting of technology risk.
Technology Operations Management
  • Project Management: Ensure that all technology projects are completed with clarity, alignment, traceability and with effective resource utilisation.
  • Systems Acquisition and Development, System Testing and Acceptance, and Access Control Management: Establish and implement internal processes to cover these areas.
  • Cryptography: Implementation of effective cryptographic measures to protect sensitive data. 
  • Data Security and Privacy: Implementation of effective measures to prevent losses from data breach, internal and external threats, negligence and cyber attacks.
  • Data Storage: Ensure that data and IT Systems are stored or hosted in a secure, robust and resilient environment, including cloud storage.
  • Data Disposal: Ensure that data on devices and storage media are disposed appropriately to safeguard it from unauthorised disclosure.
  • Change Management: Implement a change management process to oversee changes made to its IT systems. 
  • Patch and Technology Obsolescence: Monitor and implement latest patches on a timely basis and monitor end-of-service dates of hardware and software.
  • Network Resilience: Design a sound network architecture to support current and future growth to achieve high network availability, redundancy, accessibility and resiliency.
  • Operational Resilience: Data centre operations, including use of cloud services must be operationally resilient and meet availability targets.
  • IT Disaster Recovery Plan (“IT DRP”): Establish and test the IT DRP regularly to manage availability and restore it within recovery objectives.
Technology Service Provider Management
  • Vendor Due Diligence: Undertake rigorous evaluation of third-party service providers to ensure that they meet the entity’s requirements.
  • Ongoing Monitoring: Conduct regular reviews and audits of service providers to ensure that they are capable in managing risks and comply with the TRM Guidelines.
  • Cloud Services: Ensure that the cloud service provider implements proper governance and controls in cloud strategy and cloud operational management.
  • Contract Management: Service level agreements must be established to include the necessary provisions to manage risk.
Cybersecurity Management
  • Cyber Security Framework: Establish a cybersecurity framework via the implementation of adequate cybersecurity controls and policies and procedures.
  • Cyber Security Measures and Monitoring: Deploy in-depth defence and preventive cyber-security measures and implement continuous surveillance.
  • Cyber Security Incident Response and Recovery: Establish cyber incident response capability to manage and minimise damage from cyber incidents and to recover from them.
  • Cyber Security Assessment: Conduct regular assessments to identify potential vulnerabilities and cyber threats, and implement controls to mitigate them.
  • Cyber Simulation Exercise: Implement cyber simulation exercise involving key stakeholders to assess the effectiveness of its cyber incident response and recovery.
Digital fiber

Who Will Be Affected?

The guidelines are applicable to all capital market entities licensed, registered, approved, recognized, or authorized by the SC. Entities are expected to submit a declaration of compliance to the Securities Commission on the Guidelines on Technology Risk Management (GTRM) by the first quarter of 2025.

Next Actions for Capital Market Entities

As capital market entities navigate these new requirements, the task of ensuring compliance can be overwhelming. Engaging with a specialized cybersecurity expert can provide valuable support and guidance during this transition period. Here are several ways our firm can assist:
Framework Development
  • Customized TRM Frameworks: Developing tailored TRM frameworks that meet the specific needs and risk profiles of individual entities.
  • Policy and Procedure Design: Crafting comprehensive policies and procedures to align with the SC’s guidelines.
Audit and Assessment Services
  • Gap Assessments: Conducting gap assessments to identify potential vulnerabilities and areas for improvement.
  • Audit Support: Assisting in the establishment and execution of technology audit plans.
Training and Awareness Programs
  • Staff Training: Providing training sessions to ensure that all employees are aware of and understand their roles in managing technology risks.
  • Board and Management Briefings: Offering specialized briefings for board members and senior management on their responsibilities under the new guidelines.
Cybersecurity expert conducting a gap assessment for a financial institution to identify vulnerabilities and ensure TRM compliance.

Conclusion

The SC's new technology risk management guidelines mark a significant step forward in enhancing the cybersecurity and overall resilience of Malaysia's capital market. By working with a dedicated cybersecurity partner, entities can not only ensure compliance with these guidelines but also build a more secure and robust technological infrastructure. As the regulatory landscape evolves, proactive engagement and rigorous adherence to these new standards will be crucial for maintaining trust and integrity in the capital market.

Our Cybersecurity services

Shielding Your Digital Frontier: Cybersecurity Solutions
Discover More

Our Expert

Our experienced professionals are ready to serve and take your business to the next level of growth.

Our Cybersecurity Services
Name
Amos Law
Partner
Location: Kuala Lumpur
Profile
Our Cybersecurity Services

Related Articles

Cybersecurity Threats
Have you assessed your vulnerability risks to cybersecurity threats?
Exemption from Labuan Tax: Enhancing Islamic Financial Services Sector
Labuan's 3% tax rate and tax exemption for Syariah-compliant financial services boost its appeal as a tax-efficient Islamic financial hub.
Key Changes to Transfer Pricing Rules 2023 in Malaysia
Discover the latest transfer pricing rules and tax measures in Malaysia
Tax Filing Deadlines in Malaysia: A Guide for Individuals, Companies, Trusts and Other Taxpayers
Learn about the Tax Compliance Guidelines for Individuals Companies Trusts and Other Taxpayers

Stay Up-to-date with Our Newsletter

Click to Subscribe