4.3.2 NAVIGATING EMERGING TECHNOLOGY RISKS
While there has been an overall improvement in the industry’s level of cyber security awareness and preparedness, there are still areas that can be further strengthened. Market participants need to remain vigilant, particularly in the face of increasingly sophisticated cyber threats. While the ability to detect, respond and recover from a cyber-breach will still remain a core competency in the cyber resilience framework, focus will be expanded to strengthen industry’s capabilities to proactively detect cyber threats and organise their cyber defence.
Market participants would need to strengthen their ability to detect and fend off incoming attacks within their own perimeters. To that end, ongoing efforts are centred around strengthening intelligence capabilities against potential cyber threats and breaches. Market participants should also consider more extensive self-assessment methods beyond penetration tests, such as red team or blue team exercises to identify vulnerabilities and areas to be strengthened, to complement annual cyber simulation exercises.
As the cyber capabilities of the industry mature, more proactive methods for cyber defence, such as using AI models to predict and respond to unknown cyber threats can also be explored. Moving forward, the SC will continue to work closely with the industry to develop an approach to enhance cyber defence in the industry.
The human risk factor should also not be underestimated. Regular cyber security awareness and training programmes should become the norm for all employees to reduce the risk of phishing, identity theft and other social engineering threats. Market participants should also ensure that cyber security factors become increasingly embedded in the overall design of their top-to-bottom technology stack. This would help raise the level of cyber hygiene within their environment and reduce the risk of malicious intrusions into the system. For market participants considering deployment of cloud-based or as-a-service capabilities, they should be mindful that the continued responsibilities of managing cyber risks still remains with them. To further strengthen the industry’s cyber posture and provide further regulatory guidance, the SC will be looking to develop a framework to regulate technology risks more holistically.
The increasing use of cloud-based services also poses several risks to intermediaries and the industry. Greater reliance on virtual platforms by intermediaries makes them potentially more vulnerable to operational disruptions – any disruption to cloud services may grind operations to a halt and potentially cause financial loss for intermediaries and investors. A single cyber incident at a cloud service provider could also potentially affect multiple intermediaries that subscribe to the same cloud service provider. Provisions in the Licensing Handbook currently cover some elements related to the risk of outsourcing to such providers. However, there are other sources of risk that intermediaries need to be aware of, including potential vulnerabilities due to integration with legacy systems and the risk of compromised credentials. Intermediaries utilising such services should put in place a suitable risk management framework and take measures to mitigate related risks, including having internal policies for cloud outsourcing and cloud security as well as trainings for employees.
106 SECURITIES COMMISSION MALAYSIA