Securities Commission Issues Guiding Principles on Business Continuity

The Securities Commission Malaysia (‘SC’) issued the Guiding Principles on Business Continuity (‘Guidance Document’) on 14 May 2019 which takes effect immediately.
The Guidance Document applies to capital market entities, i.e. those that are regulated by the SC via licensing, approval or registration, as required under securities laws, except for the following –
  • financial institutions which are registered persons under Part 1 of Schedule 4 of the Capital Markets and Services Act 2007;
  • entities registered the SC’s Guidelines on the Registration of Venture Capital and Private Equity Corporations and Management Corporations; and
  • Pengurusan Danaharta Nasional Berhad and its subsidiaries.
The Guidance Document serves as a guidance on the SC’s expectations on business continuity and as a platform to increase awareness among capital market entities on the importance of having an effective business continuity arrangement.
The Guidance Document sets out the minimum standards that capital market entities are encouraged to adopt based on the nature, size and complexity of their business operations.
The Guidance Document sets out six principles, namely –
  1. The collective responsibility of the board and senior management in ensuring sound and effective business continuity of a capital market entity;
  2. Identifying, assessing, managing and mitigating risks from major operational disruptions (including those from interdependency and concentration of business functions and outsourcing arrangements);
  3. Developing recovery objectives and strategies;
  4. Establishing comprehensive escalation and communications procedures as part of the business continuity framework;
  5. Testing of critical business functions on a regular basis (at least annually) and provision of training to business continuity coordinators; and
  6. Maintaining, reviewing and updating the business continuity framework on a regular basis.
The SC has emphasised that the six principles set out in the Guidance Document are not intended to be prescriptive, but constitute a broad framework of best practices relevant to capital market entities.
A capital market entity is required to notify the SC in the prescribed format of any event that triggers the activation or execution of its business continuity arrangement or protocols within three business days of the occurrence of such event.