Technology & Cybersecurity Risk Management
Technology & Cybersecurity Risk Management
Technology risk is defined as potential detrimental events occurring from the use of Information Technology (IT) platforms, systems, applications, and infrastructure, which could result in financial loss, disruption of business operations, or reputational harm to Bursa. Cybersecurity risk means the risk of cyber threats or vulnerabilities occurring within the realm of the information assets, IT systems, network, and operating environment.
The Group adopts SC’s Guidelines on Financial Market Infrastructures and Guidelines on Technology Risk Management, Cyber Resilience for Financial Market Infrastructures issued by International Organization of Securities Commissions (IOSCO), as well as other industrial best practices. Technology & Cybersecurity Risk Management Framework was established to strengthen the ability of Bursa to detect and mitigate technology and cybersecurity risk that accompanies greater technology adoption in management and achievement of its operational and strategic objectives.
Technology audits/ assessments are carried out regularly to provide an independent and objective assurance on the effectiveness of risk management, governance, internal controls of Bursa Malaysia’s technology adoption and cybersecurity capabilities.
RC also conducts project risk assessment and system readiness reviews on selected projects based on a set of pre-defined criteria to ensure effective governance and project risk management, resolution of issues identified, business continuity planning, and comprehensiveness of the policies and procedures, prior to the implementation or launch of any significant systems development and enhancement for existing or new products and services.
Bursa Malaysia is maintained certification for the Information Security Management System (ISMS). The ISMS scope covered the management, operation and maintenance of the information system assets, IT security and information systems of Bursa Malaysia and its subsidiaries. Prior to the re-certification exercise, internal audits were conducted by a qualified team of personnel.
Appropriate systems with adequate capacity, security arrangements, facilities and resources are in place to mitigate risks that could cause interruption to the Group’s critical business functions. The Group has a Business Continuity Plan (BCP), including a Disaster Recovery Plan which is tested annually to ensure continuity of the business and technology operations. Besides the mandatory industry wide tests, the Group also facilitates BCP exercises for the market participants. The objective of this exercise was to ensure market participants’ backup sites / systems can be connected successfully to Bursa Malaysia in the event of a disruption.