Supervision - Regulatory Performance and Outcomes | Securities Commission Malaysia

Supervision

Supervision of Technology and Cyber Risk Assessments

In 2024, the SC observed a growing reliance on advancing technologies, such as blockchain, cloud, artificial intelligence (AI), and internet of things (IoT), to improve efficiency, automation and data-driven decisionmaking. While these technological advancements offer significant benefits, they also introduce new risks and challenges. This year saw increasing concerns over malware and ransomware attacks, resulting in data leaks for affected organisations. Additionally, technology resilience and preparedness within the market faced scrutiny following the CrowdStrike outage, underscoring the critical need to address supply chain vulnerabilities.

Revision of the Guidelines on Technology Risk Management

On 19 August 2024, the Guidelines on Technology Risk Management (GTRM) was revised and implemented. This implementation follows a one-year familiarisation period that began on 1 August 2023. The intention was to provide adequate time for capital market entities (CME) to prepare and enable themselves to meet the requirements of the GTRM. The GTRM superseded the Guidelines on Management of Cyber Risk (GMCR), which primarily addressed cyber security concerns. In contrast, the GTRM offers a more comprehensive framework that integrates technology risk management, effectively addressing a wider range of risks within the capital market.

Monitoring Technology and Cyber Trends

Under the GTRM, CMEIs are required to report technology and cyber incidents via the Vault system, a case management system platform designed for CME to report technology and cyber incidents. The Vault system also facilitates effective analysis of trends and root causes, thereby strengthening the SC’s oversight capabilities.

Since the introduction of GTRM, there has been a notable increase in reported incidents, which has enhanced the SC’s visibility into the industry’s risk posture and reinforced efforts to ensure technology and cyber resilience within the capital market. The SC’s analysis of incidents reported via the Vault from Q1 to Q4 2024 indicates that 77% were classified as technology incidents, primarily involving hardware or software failures. The remaining 23% were categorised as cyber security incidents, with data breaches being the most prevalent. These findings highlight the critical importance of robust management of software and hardware components, particularly in addressing supply chain risks. The SC strongly advised organisations to remain vigilant given their potential repercussions.

Despite a decrease in overall cyber security incidents compared to 2023, each new incident presents the risk of greater organisational impact. Notably in 2024, the increased frequency of ransomware and malware cases have brought data confidentiality risks towards affected organisations.

Mitigating Systemic Risks And Promoting Financial Stability

Enhanced Risk Governance Framework

In 2021, the SC-wide risk governance framework was enhanced as part of an overall initiative to have an effective integrated and predictive risk surveillance to maintain regulatory agility.

The structured risk governance framework integrated the wider spectrum of risks such as technology, cyber and conduct risk at the SC’s Systemic Risk Oversight Committee (SROC) and Accounting, Market and Corporate Surveillance Committee (ACMS).

Intensified surveillance

The SC continued to intensify its surveillance of systemic risk to maintain market resilience and stability. Regular SROC engagements were held to deliberate concerns emanating from various segments across the capital market. Domestic equity and bond market, foreign fund flows and trade participation continued to be monitored closely for potential stress points.

In addition, measures and economic stimulus packages introduced by the government to weather the impact of COVID-19, market trading conduct and the financial position of listed companies were among the focus areas for discussion.

Thematic assessments

The SC also conducted thematic assessments covering investors’ fund flows, the position of firms, and policy decisions to ascertain the possible impact on the capital market. In 2021, the SC reviewed and enhanced its crisis indicators on potential emerging risks in the
capital market.

The enhanced crisis indicators provided a reference point for escalation to SROC when the identified indicators and triggers materialised and ensured prompt response to manage and prevent any issues of concern that might lead to a systemic crisis.

Joint regulatory discussions

In 2021, the SC conducted frequent joint regulatory discussions with other authorities such as Bank Negara Malaysia (BNM) and Labuan Financial Services Authority (Labuan FSA) to identify systemic risk concern areas within the financial and capital markets in Malaysia.

Monitoring of various components of the capital market

The SC continued its efforts to undertake a methodological and integrated approach to ensure any potential systemic risk was being monitored, mitigated, or managed. Figure 1 highlights the findings from the following risk assessments on the various components of the capital market.