Page 104 - CMP3
P. 104

                                 Market participants have begun to take advantage of new technologies to enhance their capabilities in distribution channels, sales support and back office operations such as reconciliation and fraud detection. This is further enabled by cloud-based and as-a-service offerings ranging from software to platform to infrastructure, which have shortened the time needed to deploy new digital capabilities. The proliferation of data usage and the ability to mine large amounts of data may offer valuable insights and new opportunities. However, basic data hygiene issues remain a challenge and will have to be addressed to mitigate the risk of inaccuracies and erroneous reporting.
In 2017, cyber perpetrators threatened a potential large-scale distributed denial of service (DDoS)13 attack on numerous stock broking firms in Malaysia. Although this incident did not materialise in any trading disruption or financial losses, it highlighted the potential systemic impact of a cyber incident to the Malaysian capital market. Following the DDoS event, the reported number of cyber security incidents and threats continued to increase as regulated entities pivoted towards digital adoption. In 2020 alone, cyber security incidents increased by over three fold compared to 201914. Most of these incidents were related to phishing and intrusions15, which could potentially lead to serious material and reputational loss to businesses.
Cyber resilience has therefore become imperative for all capital market participants and a significant priority for the SC. In 2018, the Cyber Risk Working Group was set up, consisting of representatives from the SC and market participants, to discuss cyber issues and strengthen industry resilience against cyber risk. Relevant market participants are also assessed annually on their general preparedness for cyber attacks through an industry-wide cyber security simulation exercise. This annual simulation exercise (Capital Market Cyber Simulation) was designed to simulate cyber incident scenarios as close to the real situation as possible. Although market participants have demonstrated improvements in their ability to detect, respond to and recover from cyber attacks, cyber threats have evolved as well. For example, cyber attackers have started to exploit loopholes in the supply chain as potential entry points into organisations that have solid cyber controls in place and weaponise AI for cyber attacks. Hence, it is important for the industry to continue elevating its cyber resilience and cyber readiness.
Along with digitisation efforts by the broader market, the SC has continued to pursue its own digitisation journey to automate interactions with market participants, augment policymaking as well as enhance its supervisory and enforcement efficiency. Regulatory submissions and reporting to the SC has been digitised and streamlined over the past decade through the LOLA Online Submission System and Common Reporting Platform (ComRep). Efforts to incorporate advanced analytics in the SC’s regulatory functions have also begun, as outlined in section 4.3.3. These are being deployed to evaluate the adoption of CG practices by PLCs as well as to enable real-time analytics and relationship analysis in market surveillance. In addition, a pilot project on DLT was carried out to further the SC’s understanding of this new technology. Efforts to build digital forensic capabilities are also underway to enhance the management of digital- based evidence for the investigation and prosecution of cyber-crimes. With the SC consuming more data than ever before, data analytics is being embedded even deeper into internal processes to deliver more effective, evidence-based policies and decision-making.
A DDOS hit occurs when the bandwith of a targeted system is flooded with traffic – typically from hijacked or infected machines – to overwhelm the system’s capacity and render its services inaccessible.
Internal analysis, SC, 2020.
Cyber intrusions refers to the act of gaining unauthorised access to a computer system.
 13
14 15
102 SECURITIES COMMISSION MALAYSIA
   
























































































   102   103   104   105   106