SC Technology Risk Management Independent Review — AKATI Sekurity
+Secure | Governance & Compliance

SC Technology Risk Compliance Review

Independent Assessment Against SC Guidelines on Technology Risk Management

The Securities Commission Malaysia's Guidelines on Technology Risk Management (SC-GL/2-2023, revised 19 August 2024) establish comprehensive requirements for all capital market entities to govern technology risk, strengthen cybersecurity resilience, manage third-party service providers, and report incidents to the SC.

AKATI Sekurity provides independent, third-party compliance reviews against the full scope of the SC TRM Guidelines — from board oversight through to cybersecurity operations, VAPT, cloud risk, AI governance, and incident notification. We identify gaps before the SC does.

SC-GL/2-2023 (R1-2024)
Section 377 CMSA
Revised 19 Aug 2024
5 Appendices

Issued under Section 377 CMSA. These Guidelines supersede the Guidelines on Management of Cyber Risk (GMCR). Capital market entities jointly regulated by other regulators must comply with all relevant guidelines — where requirements differ, the more stringent requirements apply. The SC may appoint an independent party to review compliance at the entity's cost.

R1-2024
Who Must Comply

Capital Market Entities

The SC TRM Guidelines apply to all capital market entities as defined in the CMSA. Entities must assess application and ensure implementation commensurate with their business operations and technology risk exposure.

Exchange Holding Companies
Stock Exchanges
Derivatives Exchanges
Clearing Houses
Trade Repositories
Central Depositories
Self-Regulatory Organisations
PRS Administrators
CMSL Holders
Recognised Market Operators
Registered Persons (Schedule 4)
Section 76A Registrants
Regulatory Architecture

6 Compliance Chapters

The SC TRM Guidelines are structured across 6 chapters and 5 appendices. Select any domain below to explore the key requirements AKATI Sekurity assesses during an independent compliance review.

Chapter 5

Governance

Board oversight, senior management accountability, cybersecurity awareness training, and technology audit obligations form the foundation of the SC TRM Framework.

  • Board approves TRM Framework, risk appetite, and risk tolerance statement
  • TRM Framework reviewed at least every 3 years; policies reviewed annually
  • Designated senior management for day-to-day technology risk oversight
  • Separate designee for technology and cybersecurity strategy implementation
  • Annual cybersecurity awareness training for board, staff, and agents
  • Technology audit plan covering critical technology with competent auditors
  • Audit report with independent opinion on risk management effectiveness
  • SC may appoint independent party to review compliance at entity's cost
Chapter 6

Technology Risk Management

Comprehensive risk identification, assessment, mitigation, monitoring, and reporting framework with board-approved risk register and accountable risk owners.

  • Establish robust TRM Framework reviewed at least every 3 years
  • Policies and procedures reviewed and updated at least annually
  • Full risk lifecycle: identify, assess, mitigate, monitor, review, and report
  • All risks assigned to accountable risk owners with treatment plans
  • Board-approved key technology risk register maintained
  • Senior management approval required for any deviation from framework
  • Residual risk documented and managed per risk acceptance criteria
  • Continuous review of risk exposures against risk appetite
Chapter 7

Technology Operations Management

The largest chapter — covering project management, SDLC, access control, cryptography, data security, DLP, change management, patch management, network resilience, disaster recovery, and cloud storage.

  • Technology project management with post-implementation review
  • SDLC with security requirements: access control, data integrity, logging
  • Cybersecurity assessment mandatory prior to system deployment (7.13A)
  • MFA and privilege access management for sensitive system functions
  • Cryptographic key lifecycle management from generation to disposal
  • Data loss prevention policy for data in-use, in-motion, and at-rest
  • Source code escrow for critical systems or documented alternative
  • Change management with risk analysis and senior management approval
  • Patch deployment within specified timeframes by severity level
  • EOL/EOS monitoring with technology refresh plan before support ends
  • Disaster recovery plan tested at least annually with documented results
  • Cloud risk assessment: data residency, vendor lock-in, and exit strategy
Chapter 8

Technology Service Provider Management

Due diligence, contractual controls, ongoing monitoring, and exit strategy for all outsourced technology services including cloud providers and sub-contractors.

  • Due diligence before appointing any technology service provider
  • SLA with performance metrics, security requirements, and audit rights
  • Ongoing monitoring of service provider performance and risk posture
  • Data hosted overseas requires additional risk assessment and controls
  • Robust exit strategy ensuring business continuity if relationship ends
  • Board oversight and accountability for all outsourcing arrangements
  • Sub-contracting controls: initial provider accountable for downstream risk
  • Data sanitisation requirements when provider relationship terminates
Chapter 9

Cyber Security Management

Cyber resilience framework encompassing threat detection, vulnerability management, incident response, recovery planning, and cyber drill exercises.

  • Cyber resilience framework: anticipate, absorb, adapt, respond, recover
  • SOC with 24/7 monitoring, SIEM, and threat intelligence capabilities
  • Vulnerability assessment and penetration testing on critical systems
  • Cyber incident response plan with defined roles and escalation paths
  • Regular cyber drill exercises testing response and recovery capabilities
  • Independent compromise assessment of critical infrastructure
  • Cyber risk management strategies per Appendix 2 methodology
  • Recovery time objectives defined and tested for critical systems
Chapter 10

Notification Process

Mandatory SC notification for technology implementations, material changes, cyber incidents, technology incidents, and near-miss events.

  • Notify SC of new technology implementations and material changes per Appendix 4
  • Immediate notification of cyber incidents affecting operations or clients
  • Technology incident reporting for service disruptions impacting business
  • Near-miss event reporting: high-potential incidents detected before substantial impact
  • Notification format and timeline per Appendix 5 requirements
Appendices 1–5

AI/ML Governance & Notification Templates

Supporting appendices covering risk assessment guidance, cyber risk methodology, AI/ML guiding principles, and standardised SC notification templates.

  • Appendix 1: Guidance on risk identification, assessment, mitigation, monitoring, review, and reporting
  • Appendix 2: Methodology for implementing cyber risk management strategies and measures
  • Appendix 3: Guiding principles for adoption of Artificial Intelligence and Machine Learning
  • Appendix 4: Notification template for technology-related implementation
  • Appendix 5: Notification template for technology incidents, cyber incidents, and near-miss events
AKATI Sekurity Services

How We Help You Comply

AKATI Sekurity delivers the independent assessments, testing, and advisory services that capital market entities need to demonstrate compliance with the SC TRM Guidelines.

Compliance

SC TRM Gap Analysis

Comprehensive assessment against all 6 chapters and 5 appendices. Prioritised findings mapped to specific SC paragraphs with remediation timelines.

Cybersecurity

VAPT & Compromise Assessment

Vulnerability assessments, intelligence-led penetration testing, and independent compromise assessments of critical technology infrastructure.

Operations

24/7 SOC & Threat Monitoring

Managed Security Operations Centre with SIEM, threat intelligence, incident coordination, and vulnerability management per Chapter 9 requirements.

Advisory

Cloud & Third-Party Risk

Cloud adoption risk assessment, service provider due diligence, ongoing monitoring framework, and exit strategy design per Chapter 8.

Governance

TRM Framework Development

Design and implementation of the complete TRM Framework — governance, risk management, operations, cybersecurity, and AI/ML principles per Appendix 3.

Response

Incident Response & Forensics

Cyber incident investigation, containment, recovery, and SC notification support. Digital forensics and post-incident review per Chapter 9 and 10 requirements.

Why AKATI Sekurity

Independent. Competent. Proven.

The SC requires technically competent auditors and may appoint independent reviewers at any time. AKATI Sekurity meets every qualification threshold — with deep capital markets experience across Malaysia.

Capital Markets Expertise

Experience with exchanges, clearing houses, CMSL holders, fund administrators, and recognised market operators across the Malaysian capital market.

Full Chapter Coverage

Single engagement partner for governance review, VAPT, SOC, cloud advisory, incident response, and TRM Framework development — all 6 chapters.

Certified & Independent

QSA, ASV, CREST-approved, and ISO 27001 certified. Independent from your technology operations — meeting SC's requirements for objectivity.

SC-Ready Reporting

Every finding mapped to specific SC TRM paragraphs. Audit-ready documentation that demonstrates compliance and prioritises remediation.

Next Step

Secure Your SC TRM Compliance

The SC TRM Guidelines are in effect — and the SC can appoint independent reviewers at any time at your cost. Get ahead of scrutiny. Contact AKATI Sekurity for a comprehensive compliance review.

← Return to Governance & Compliance Schedule Your SC TRM Review →