Securities Commission issues Guidelines on Technology Risk Management

The Securities Commission Malaysia (“SC”) issued the Guidelines on Technology Risk Management (“the Guidelines”) on 1 August 2023.
Application and enforcement
The Guidelines will apply to the following capital market entities: 
  • an exchange holding company, stock exchange, derivatives exchange, clearing house and trade repository approved under the Capital Markets and Services Act 2007 (“CMSA”);
  • a central depository approved under the Securities Industry (Central Depositories) Act 1991;
  • a self-regulatory organisation recognised under the CMSA;
  • a private retirement scheme administrator approved under the CMSA;
  • a Capital Markets Services Licence holder;
  • a recognized market operator registered under the CMSA;
  • a registered person provided in Part 2 of Schedule 4 of the CMSA; and
  • a person providing capital market services registered under section 76A of the CMSA, 
(severally a “capital market entity” and collectively “capital market entities”).
The Guidelines will come into effect on a date to be announced by the SC, which is expected to be in the third quarter of 2024. This is to provide sufficient time for capital market entities to familiarise themselves with the requirements of the Guidelines for the purpose of compliance.1
When the Guidelines come into effect, they will replace the Guidelines on Management of Cyber Risk issued by the SC on 31 October 2016 (“the Cyber Risk Guidelines”).
Capital market entities are expected to assess the application of the Guidelines and ensure the extent and degree of implementation commensurate with their respective business operations as well as the level of technology risk exposures.
The Guidelines seek to achieve a two-pronged outcome - first, that all capital market entities have a robust and sound technology risk management framework which promotes strong oversight of technology risks in the capital market entity, and second, for the capital market to be cyber resilient.
Summary of the requirements
Part B of the Guidelines sets out the requirements in respect of six specific areas. These are summarised below.
1.     Governance 
  • Responsibilities of the board of directors
  • Responsibilities of senior management
  • Cybersecurity Awareness and Training for board, senior management, employees and agents
  • Technology audit requirements 
2.    Technology Risk Management 
  • Requirement to establish a Technology Risk Management Framework (“TRM Framework”) that comprises risk identification, risk assessment, risk mitigation, risk monitoring, review and reporting on the existing and any emerging technology adopted by the capital market entity 
Guidance on each component of the TRM Framework is provided in Appendix 1 of the Guidelines.
3.    Technology Operations Management 
  • Technology Project Management
  • System Acquisition and Development, System Testing and Acceptance and Access Control Management
  • Cryptography
  • Data Security and Privacy
  • Data Storage
  • Data Disposal
  • Change Management
  • Patch Management and Technology Obsolescence
  • Network Resilience
  • Operational Resilience
  • IT Disaster Recovery Plan 
4.    Technology Service Provider Management 
  • Due Diligence, Contract Management and Performance Monitoring
  • Cloud Services
  • Contract Management 
5.    Cyber Security Management 
  • Cyber Security Framework
  • Cyber Security Measures and Monitoring
  • Cyber Security Incident Response and Recovery
  • Cyber Security Assessment
  • Cyber Simulation Exercise 
6.    Notification Process to the SC 
  • Notification for Technology-Related Implementation
  • Notification of Technology Incident and Cyber Incident 
The forms containing the details to be included in the notifications are set out in Appendix 4 and Appendix 5 of the Guidelines.
In addition, the Guidelines set out four guiding principles in relation to the adoption of artificial intelligence and machine learning, namely: 
  • Accountability
  • Transparency and Explainability
  • Fairness and Non-Discrimination
  • Practical Accuracy and Reliability 
Refer to Appendix 3 of the Guidelines for an elaboration of these principles.
The SC has also issued a set of Frequently Asked Questions in relation to the Guidelines.
The requirements under the Guidelines are significantly more detailed than those contained in the Cyber Risk Guidelines that will be replaced by the former. The Guidelines cover technologies such as artificial intelligence, machine learning and distributed ledger technology that have emerged since the Cyber Risk Guidelines were introduced.
Alert prepared by Tan Wei Liang (Senior Associate) of the Corporate Practice of Skrine

1 Question 2 of the Frequently Asked Questions on the Guidelines on Technology Risk Management.

This alert contains general information only. It does not constitute legal advice nor an expression of legal opinion and should not be relied upon as such. For further information, kindly contact