Supervision - Regulatory Performance and Outcomes | Securities Commission Malaysia

Supervision

Supervision of Technology

Strengthening Cyber Resilience as Sector Lead under the Cyber Security Act 2024

The year 2025 marked a pivotal point of consolidation and execution for the SC in advancing Malaysia’s national cyber resilience agenda. Building on the significant regulatory milestones achieved in 2024, particularly the implementation of the revised Guidelines on Technology Risk Management (GTRM) and the Cyber Security Act 2024 (Cyber Security Act), the SC’s focus was on effective implementation, enhanced supervisory engagement, and operationalising its expanded mandate as sector lead for banking and finance.

2025 marks the first full supervisory cycle under the enhanced requirements, following the enforcement of GTRM in August 2024. The SC has intensified its oversight of capital market entities to ensure alignment with GTRM standards across governance structures, reporting mechanisms, third-party risk management practices, technology audits, and board oversight responsibilities. This includes targeted thematic assessments, engagement with boards and senior management, and continuous monitoring to strengthen accountability and resilience against evolving technology and cyber threats.

Since the gazettement of the Cyber Security Act in June 2024 and the SC’s appointment as sector lead for the banking and finance sector by Prime Minister Dato’ Seri Anwar bin Ibrahim in September 2024, the SC has commenced operationalising its responsibilities as sector lead, including conducting initial assessment and designating National Critical Information Infrastructure (NCII) entities, developing a sector-specific Cyber Security Code of Practice (Code of Practice), and establishing sectoral compliance monitoring and incident coordination mechanisms. These initiatives are critical to ensuring that Malaysia’s financial infrastructures operate under coherent, sector-wide baseline standards for cyber security.

With the NCII designation exercise completed in late 2024, the SC’s priority in 2025 was to supervise and support compliance with by designated entities. Developed in alignment with the GTRM, industry best practices, and statutory requirements under the Cyber Security Act, the Code of Practice sets minimum security controls and processes expected of NCII entities. Throughout the year, the SC worked closely with regulated entities to guide implementation, strengthen supervisory structures, and ensure incident reporting and robust response mechanisms.

In parallel, the SC is advancing Malaysia’s capital market preparedness for quantum threats through active collaboration with the National Cyber Security Agency (NACSA) and the Pusat Teknologi dan Pengurusan Kriptologi Malaysia (PTPKM) on a national Post- Quantum Cryptography (PQC) migration plan. Building on engagements with NACSA in 2025, the SC is now focusing on sector-specific planning to ensure that critical capital market systems are well positioned for future cryptographic transitions, consistent with global developments.

Collectively, these initiatives encompassing the GTRM implementation, activation of sector lead functions, NCII compliance operationalisation, and advancement of PQC resilience, underscore the SC’s role in 2025 as a key enabler and national leader in technology risk oversight and cyber governance. Through the integration of its regulatory mandate with its expanded national role under the Cyber Security Act, the SC is driving systemic cyber resilience across the financial sector and contributing meaningfully to Malaysia’s broader national cyber security objectives.

Mitigating Systemic Risks And Promoting Financial Stability

Enhanced Risk Governance Framework

In 2021, the SC-wide risk governance framework was enhanced as part of an overall initiative to have an effective integrated and predictive risk surveillance to maintain regulatory agility.

The structured risk governance framework integrated the wider spectrum of risks such as technology, cyber and conduct risk at the SC’s Systemic Risk Oversight Committee (SROC) and Accounting, Market and Corporate Surveillance Committee (ACMS).

Intensified surveillance

The SC continued to intensify its surveillance of systemic risk to maintain market resilience and stability. Regular SROC engagements were held to deliberate concerns emanating from various segments across the capital market. Domestic equity and bond market, foreign fund flows and trade participation continued to be monitored closely for potential stress points.

In addition, measures and economic stimulus packages introduced by the government to weather the impact of COVID-19, market trading conduct and the financial position of listed companies were among the focus areas for discussion.

Thematic assessments

The SC also conducted thematic assessments covering investors’ fund flows, the position of firms, and policy decisions to ascertain the possible impact on the capital market. In 2021, the SC reviewed and enhanced its crisis indicators on potential emerging risks in the
capital market.

The enhanced crisis indicators provided a reference point for escalation to SROC when the identified indicators and triggers materialised and ensured prompt response to manage and prevent any issues of concern that might lead to a systemic crisis.

Joint regulatory discussions

In 2021, the SC conducted frequent joint regulatory discussions with other authorities such as Bank Negara Malaysia (BNM) and Labuan Financial Services Authority (Labuan FSA) to identify systemic risk concern areas within the financial and capital markets in Malaysia.

Monitoring of various components of the capital market

The SC continued its efforts to undertake a methodological and integrated approach to ensure any potential systemic risk was being monitored, mitigated, or managed. Figure 1 highlights the findings from the following risk assessments on the various components of the capital market.